curl / Mailing Lists / curl-library / Single Mail


Re: NTLM auth to server when Negotiate is used with a proxy is broken in libcurl 7.51.0

From: Isaac Boukris <>
Date: Wed, 5 Apr 2017 19:37:20 +0300

Hi Marton,

(please avoid top-posting, it makes it hard to follow - see etiquette
link below)

On Thu, Mar 23, 2017 at 11:16 AM, Marton Legeny
<> wrote:
> Hi Isaac,
> Thanks for your explanation - however, I don't think that fix can be
> generically applied to _all_ proxy settings.
> For instance, I'm using zScaler that requires authentication for each
> "session" (request-response pair). In that case, adding the Negotiate header
> for each request is a must.

Yes, but not the same header as that would be incorrect.

> I agree that re-generating the Kerberos token for each request would solve
> this - and/or there could be a new parameter added to curl, making it
> possible to the end user to make curl re-send the previously used header,
> which won't be a problem in case the proxy does not have the replay cache
> enabled).

The way the code currently handles Negotiate doesn't make it easy to
regenerate the header on each request, since we actually generate it
upon receiving 401 response.
You can read more about it, at the following link (the patch suggested
there isn't good-enough however):

We could also consider to cache the old server-authorization header,
so in case we get 407 we resend it because we can assume it was not
consumed by the target server (I wonder how browsers behave in that

Received on 2017-04-05