curl-library
NTLM auth to server when Negotiate is used with a proxy is broken in libcurl 7.51.0
Date: Wed, 22 Mar 2017 10:25:12 +0000
Hi,
I've noticed that curl is "spinning" (see my explanation later in my mail)
when:
1) NTLM auth is used for the target server and
2) Negotiate (Kerberos) auth is used on the HTTP proxy.
The command I use is the following:
curl -k -v --proxy-negotiate --ntlm -u AH\\oliver -x
gateway.zscloud.net:8800
http://actual-experience.mysharepointonline.com/Shared%20Documents/ActualExperienceTargetContent.htm
Which works nicely with libcurl 7.35.0 on Ubuntu 14.04:
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8
libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz
TLS-SRP
Linux st-ub-1404-04 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13
01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
But it doesn't work on MacOS Sierra with libcurl 7.51.0:
curl 7.51.0 (x86_64-apple-darwin16.0) libcurl/7.51.0 SecureTransport
zlib/1.2.8
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL
libz UnixSockets
Basically what's happening is the following:
1) curl sends a HTTP GET to the target, including the first message of the
NTLM auth
2) The proxy replies with 407 and tells the client to use Negotiate to
authenticate
3) curl then includes the Negotiate part and re-sends the first message of
the NTLM auth
4) The proxy lets the connection go through now but the target server
replies with 401 and includes the second message of the NTLM auth
5) curl then includes the final, third message of the NTLM auth _but
doesn't include the Negotiate part_ for some reason - this part is also
added when using libcurl 7.35.0
6) The proxy replies with 407 because of the missing Negotiate part
7) curl then includes the Negotiate part but _doesn't include the NTLM part_
8) The proxy lets the connection go through but the target server replies
with 401 because of the missing NTLM part and tells the client to
authenticate using NTLM
9) And, because of that, the whole procedure, from step 1) to 8) repeats
itself, until it reaches the limit of 50 redirects:
* Maximum (50) redirects followed
curl: (47) Maximum (50) redirects followed
I'm pretty sure this bug was introduced between libcurl 7.35.0 and 7.51.0,
can you please look into this?
Thanks,
Marton
-- *MARTON LEGENY* Software Tester *Actual Experience* Bath, UK HQ +44 1225 585 868 www.actual-experience.com | @actualwork <https://twitter.com/actualwork> | LinkedIn <https://www.linkedin.com/company/actual-experience-ltd> | Facebook <https://www.facebook.com/ActualCrowd%20> -- Registered Office: Actual Experience plc Quay House, The Ambury, Bath BA1 1UA, Registered No. 06838738, VAT No. 971 9696 56 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Although we routinely screen for viruses, addressees should check this e-mail and any attachment for viruses. We make no warranty as to absence of viruses in this e-mail or any attachments.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-03-22