curl-library
Re: NTLM auth to server when Negotiate is used with a proxy is broken in libcurl 7.51.0
Date: Thu, 23 Mar 2017 08:16:09 +0000
Hi Isaac,
Thanks for your explanation - however, I don't think that fix can be
generically applied to _all_ proxy settings.
For instance, I'm using zScaler that requires authentication for each
"session" (request-response pair). In that case, adding the Negotiate
header for each request is a must.
I agree that re-generating the Kerberos token for each request would solve
this - and/or there could be a new parameter added to curl, making it
possible to the end user to make curl re-send the previously used header,
which won't be a problem in case the proxy does not have the replay cache
enabled).
Thanks, Marton
On 22 March 2017 at 16:43, Isaac Boukris <iboukris_at_gmail.com> wrote:
> On Wed, Mar 22, 2017 at 12:25 PM, Marton Legeny
> <marton.legeny_at_actual-experience.com> wrote:
> > Basically what's happening is the following:
> >
> > 1) curl sends a HTTP GET to the target, including the first message of
> the
> > NTLM auth
> > 2) The proxy replies with 407 and tells the client to use Negotiate to
> > authenticate
> > 3) curl then includes the Negotiate part and re-sends the first message
> of
> > the NTLM auth
> > 4) The proxy lets the connection go through now but the target server
> > replies with 401 and includes the second message of the NTLM auth
> > 5) curl then includes the final, third message of the NTLM auth _but
> doesn't
> > include the Negotiate part_ for some reason - this part is also added
> when
> > using libcurl 7.35.0
>
> I think it might be the below commit:
> https://github.com/curl/curl/commit/87c4abb611c2b7038edc27c08b001d
> 577eb14bd9
>
> You may try to revert it for testing, but I think that commit is
> correct because we should not resend the same header twice as the
> server would drop it to prevent replay attacks (although replay cache
> is sometimes disabled on servers for performance).
> Also, can you check if the old libcurl was sending the exact same header?
>
> A possible fix would be to make sure to re-generate a new token for
> each request (but only for krb5).
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
>
-- *MARTON LEGENY* Software Tester *Actual Experience* Bath, UK HQ +44 1225 585 868 www.actual-experience.com | @actualwork <https://twitter.com/actualwork> | LinkedIn <https://www.linkedin.com/company/actual-experience-ltd> | Facebook <https://www.facebook.com/ActualCrowd%20> -- Registered Office: Actual Experience plc Quay House, The Ambury, Bath BA1 1UA, Registered No. 06838738, VAT No. 971 9696 56 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Although we routinely screen for viruses, addressees should check this e-mail and any attachment for viruses. We make no warranty as to absence of viruses in this e-mail or any attachments.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-03-23