Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Digest authentication ignores changed nonce

From: René Berber via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 24 Nov 2017 20:27:27 -0600

Hi,

lib curl version 7.56.1 (used within collectd).

Communication with a device (solar panel control & monitor) which uses
digest authentication works only the 1st query (queries are made once
every 5 minutes), then fails repeatedly because libcurl is reusing the
(1st received) nonce, and ignoring the new one presented by the device.

Dumping the traffic shows:

Hypertext Transfer Protocol
    GET /api/v1/production/inverters HTTP/1.1\r\n
...

Hypertext Transfer Protocol
    HTTP/1.1 401 Unauthorized\r\n
... expected
    WWW-Authenticate: Digest qop="auth", realm="enphaseenergy.com",
nonce="xkoYWoGvVUmuqWvQLrjs16IX3HI="\r\n
    Content-Type: application/json\r\n
... the library receives the nonce,

Hypertext Transfer Protocol
    GET /api/v1/production/inverters HTTP/1.1\r\n
... and proceeds to use it
    Host: 192.168.10.14\r\n
     [truncated]Authorization: Digest username="envoy",
realm="enphaseenergy.com", nonce="xkoYWoGvVUmuqWvQLrjs16IX3HI=",
uri="/api/v1/production/inverters",
cnonce="Yjc5N2UyYzk3NmM0ODA3Y2IxMzgwMjViNWRlODMyYWE=", nc=00000001,
qop=auth, response
    User-Agent: collectd/5.8.0\r\n
...

Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
... receives the data

... from then on the library uses the same nonce, while the server
... keeps changing it.
Hypertext Transfer Protocol
    GET /api/v1/production/inverters HTTP/1.1\r\n
...
     [truncated]Authorization: Digest username="envoy",
realm="enphaseenergy.com", nonce="xkoYWoGvVUmuqWvQLrjs16IX3HI=",
...

Hypertext Transfer Protocol
    HTTP/1.1 401 Unauthorized\r\n
...
    WWW-Authenticate: Digest qop="auth", realm="enphaseenergy.com",
nonce="F0gYWtOOdFIIG5E1qpHIW+SVuRY="\r\n
...

After it has a nonce the 401 errors do not produce a new attempt;
collectd receives an error, and prints a message to the log.

Just to be clear, the user/password did not change (as in other similar
reports).

A different problem seems to be with libcurl ignoring the
CURLOPT_FRESH_CONNECT, and CURLOPT_FORBID_REUSE options, which I tried
as a work around, and didn't change anything. 

-- 
René Berber
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2017-11-25