Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Digest authentication ignores changed nonce

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 1 Dec 2017 03:17:42 -0500

On 11/24/2017 9:27 PM, René Berber via curl-library wrote:
> lib curl version 7.56.1 (used within collectd).
>
> Communication with a device (solar panel control & monitor) which uses
> digest authentication works only the 1st query (queries are made once
> every 5 minutes), then fails repeatedly because libcurl is reusing the
> (1st received) nonce, and ignoring the new one presented by the device.
>
> Dumping the traffic shows:
>
> Hypertext Transfer Protocol
> GET /api/v1/production/inverters HTTP/1.1\r\n
> ...
>
> Hypertext Transfer Protocol
> HTTP/1.1 401 Unauthorized\r\n
> ... expected
> WWW-Authenticate: Digest qop="auth", realm="enphaseenergy.com",
> nonce="xkoYWoGvVUmuqWvQLrjs16IX3HI="\r\n
> Content-Type: application/json\r\n
> ... the library receives the nonce,
>
> Hypertext Transfer Protocol
> GET /api/v1/production/inverters HTTP/1.1\r\n
> ... and proceeds to use it
> Host: 192.168.10.14\r\n
> [truncated]Authorization: Digest username="envoy",
> realm="enphaseenergy.com", nonce="xkoYWoGvVUmuqWvQLrjs16IX3HI=",
> uri="/api/v1/production/inverters",
> cnonce="Yjc5N2UyYzk3NmM0ODA3Y2IxMzgwMjViNWRlODMyYWE=", nc=00000001,
> qop=auth, response
> User-Agent: collectd/5.8.0\r\n
> ...
>
> Hypertext Transfer Protocol
> HTTP/1.1 200 OK\r\n
> ... receives the data
>
> ... from then on the library uses the same nonce, while the server
> ... keeps changing it.
> Hypertext Transfer Protocol
> GET /api/v1/production/inverters HTTP/1.1\r\n
> ...
> [truncated]Authorization: Digest username="envoy",
> realm="enphaseenergy.com", nonce="xkoYWoGvVUmuqWvQLrjs16IX3HI=",
> ...
>
> Hypertext Transfer Protocol
> HTTP/1.1 401 Unauthorized\r\n
> ...
> WWW-Authenticate: Digest qop="auth", realm="enphaseenergy.com",
> nonce="F0gYWtOOdFIIG5E1qpHIW+SVuRY="\r\n
> ...
>
> After it has a nonce the 401 errors do not produce a new attempt;
> collectd receives an error, and prints a message to the log.
>
> Just to be clear, the user/password did not change (as in other similar
> reports).
>
> A different problem seems to be with libcurl ignoring the
> CURLOPT_FRESH_CONNECT, and CURLOPT_FORBID_REUSE options, which I tried
> as a work around, and didn't change anything.

Can you file a report at https://github.com/curl/curl/issues/new and if
possible give us a way to reproduce what you are describing. Please be
sure to include the curl_version()

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-12-01