curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Digest authentication ignores changed nonce

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 1 Dec 2017 03:17:42 -0500

On 11/24/2017 9:27 PM, René Berber via curl-library wrote:
> lib curl version 7.56.1 (used within collectd).
>
> Communication with a device (solar panel control & monitor) which uses
> digest authentication works only the 1st query (queries are made once
> every 5 minutes), then fails repeatedly because libcurl is reusing the
> (1st received) nonce, and ignoring the new one presented by the device.
>
> Dumping the traffic shows:
>
> Hypertext Transfer Protocol
> GET /api/v1/production/inverters HTTP/1.1\r\n
> ...
>
> Hypertext Transfer Protocol
> HTTP/1.1 401 Unauthorized\r\n
> ... expected
> WWW-Authenticate: Digest qop="auth", realm="enphaseenergy.com",
> nonce="xkoYWoGvVUmuqWvQLrjs16IX3HI="\r\n
> Content-Type: application/json\r\n
> ... the library receives the nonce,
>
> Hypertext Transfer Protocol
> GET /api/v1/production/inverters HTTP/1.1\r\n
> ... and proceeds to use it
> Host: 192.168.10.14\r\n
> [truncated]Authorization: Digest username="envoy",
> realm="enphaseenergy.com", nonce="xkoYWoGvVUmuqWvQLrjs16IX3HI=",
> uri="/api/v1/production/inverters",
> cnonce="Yjc5N2UyYzk3NmM0ODA3Y2IxMzgwMjViNWRlODMyYWE=", nc=00000001,
> qop=auth, response
> User-Agent: collectd/5.8.0\r\n
> ...
>
> Hypertext Transfer Protocol
> HTTP/1.1 200 OK\r\n
> ... receives the data
>
> ... from then on the library uses the same nonce, while the server
> ... keeps changing it.
> Hypertext Transfer Protocol
> GET /api/v1/production/inverters HTTP/1.1\r\n
> ...
> [truncated]Authorization: Digest username="envoy",
> realm="enphaseenergy.com", nonce="xkoYWoGvVUmuqWvQLrjs16IX3HI=",
> ...
>
> Hypertext Transfer Protocol
> HTTP/1.1 401 Unauthorized\r\n
> ...
> WWW-Authenticate: Digest qop="auth", realm="enphaseenergy.com",
> nonce="F0gYWtOOdFIIG5E1qpHIW+SVuRY="\r\n
> ...
>
> After it has a nonce the 401 errors do not produce a new attempt;
> collectd receives an error, and prints a message to the log.
>
> Just to be clear, the user/password did not change (as in other similar
> reports).
>
> A different problem seems to be with libcurl ignoring the
> CURLOPT_FRESH_CONNECT, and CURLOPT_FORBID_REUSE options, which I tried
> as a work around, and didn't change anything.

Can you file a report at https://github.com/curl/curl/issues/new and if
possible give us a way to reproduce what you are describing. Please be
sure to include the curl_version()

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-12-01