curl / Mailing Lists / curl-library / Single Mail


Re: NTLM auth to server when Negotiate is used with a proxy is broken in libcurl 7.51.0

From: Marton Legeny <>
Date: Thu, 23 Mar 2017 08:16:09 +0000

Hi Isaac,

Thanks for your explanation - however, I don't think that fix can be
generically applied to _all_ proxy settings.
For instance, I'm using zScaler that requires authentication for each
"session" (request-response pair). In that case, adding the Negotiate
header for each request is a must.
I agree that re-generating the Kerberos token for each request would solve
this - and/or there could be a new parameter added to curl, making it
possible to the end user to make curl re-send the previously used header,
which won't be a problem in case the proxy does not have the replay cache

Thanks, Marton

On 22 March 2017 at 16:43, Isaac Boukris <> wrote:

> On Wed, Mar 22, 2017 at 12:25 PM, Marton Legeny
> <> wrote:
> > Basically what's happening is the following:
> >
> > 1) curl sends a HTTP GET to the target, including the first message of
> the
> > NTLM auth
> > 2) The proxy replies with 407 and tells the client to use Negotiate to
> > authenticate
> > 3) curl then includes the Negotiate part and re-sends the first message
> of
> > the NTLM auth
> > 4) The proxy lets the connection go through now but the target server
> > replies with 401 and includes the second message of the NTLM auth
> > 5) curl then includes the final, third message of the NTLM auth _but
> doesn't
> > include the Negotiate part_ for some reason - this part is also added
> when
> > using libcurl 7.35.0
> I think it might be the below commit:
> 577eb14bd9
> You may try to revert it for testing, but I think that commit is
> correct because we should not resend the same header twice as the
> server would drop it to prevent replay attacks (although replay cache
> is sometimes disabled on servers for performance).
> Also, can you check if the old libcurl was sending the exact same header?
> A possible fix would be to make sure to re-generate a new token for
> each request (but only for krb5).
> -------------------------------------------------------------------
> Unsubscribe:
> Etiquette:

Software Tester
*Actual Experience*
Bath, UK
HQ +44 1225 585 868 | @actualwork <> |
LinkedIn <> | Facebook
Registered Office: Actual Experience plc
Quay House, The Ambury, Bath BA1 1UA,
Registered No. 06838738, VAT No. 971 9696 56
The information transmitted is intended only for the person or entity to 
which it is addressed and may contain confidential and/or privileged 
material. Any review, retransmission, dissemination or other use of, or 
taking of any action in reliance upon, this information by persons or 
entities other than the intended recipient is prohibited. If you received 
this in error, please contact the sender and delete the material from any 
computer. Although we routinely screen for viruses, addressees should check 
this e-mail and any attachment for viruses. We make no warranty as to 
absence of viruses in this e-mail or any attachments.

Received on 2017-03-23