curl / Mailing Lists / curl-library / Single Mail


Re: NTLM auth to server when Negotiate is used with a proxy is broken in libcurl 7.51.0

From: Isaac Boukris <>
Date: Wed, 22 Mar 2017 18:43:27 +0200

On Wed, Mar 22, 2017 at 12:25 PM, Marton Legeny
<> wrote:
> Basically what's happening is the following:
> 1) curl sends a HTTP GET to the target, including the first message of the
> NTLM auth
> 2) The proxy replies with 407 and tells the client to use Negotiate to
> authenticate
> 3) curl then includes the Negotiate part and re-sends the first message of
> the NTLM auth
> 4) The proxy lets the connection go through now but the target server
> replies with 401 and includes the second message of the NTLM auth
> 5) curl then includes the final, third message of the NTLM auth _but doesn't
> include the Negotiate part_ for some reason - this part is also added when
> using libcurl 7.35.0

I think it might be the below commit:

You may try to revert it for testing, but I think that commit is
correct because we should not resend the same header twice as the
server would drop it to prevent replay attacks (although replay cache
is sometimes disabled on servers for performance).
Also, can you check if the old libcurl was sending the exact same header?

A possible fix would be to make sure to re-generate a new token for
each request (but only for krb5).
Received on 2017-03-22