Bugs item #3538625, was opened at 2012-06-28 02:31
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3538625&group_id=976
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: wrong behaviour
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Marcel Raad (marcelraad)
Assigned to: Daniel Stenberg (bagder)
Summary: NTLM proxy authentication broken?
Initial Comment:
I use a proxy server that requires NTLM authentication (Microsoft Forefront Threat Management Gateway) and the cURL easy interface with the CONNECT method. CURLOPT_CONNECT_ONLY and CURLOPT_HTTPPROXYTUNNEL are set to true. I only allow NTLM and plain authentication in my code. Until libcurl 7.24.0, NTLM authentication with SSPI was working correctly.
Since commit 41b02378342322aa8e264260057502f4d7493239 ("CONNECT: made generically not per-protocol", libcurl 7.25.0), the proxy always returns "407 Proxy Authentication required". When I use plain authentication, the connection works.
I have the following options set in my libcurl build:
USE_WINDOWS_SSPI
CURL_STATICLIB
HTTP_ONLY
CURL_DISABLE_COOKIES
CURL_DISABLE_IMAP
CURL_DISABLE_POP3
CURL_DISABLE_SMTP
CURL_DISABLE_GOPHER
----------------------------------------------------------------------
>Comment By: Daniel Stenberg (bagder)
Date: 2012-06-28 08:05
Message:
That sounds like a plausible reason. Can you try adding it back in your
version and see if it fixes the problem? I personally can't try it out...
----------------------------------------------------------------------
Comment By: Marcel Raad (marcelraad)
Date: 2012-06-28 02:48
Message:
The problem seems to be that the TCP connection is not being reused
anymore. Prior to this revision, the two CONNECT requests with NTLM
information were sent on the same TCP connection. Now they are sent on
seperate TCP connections.
Perhaps the problem is that "conn->bits.close = FALSE" was set before the
proxy authentication when the Curl_proxyCONNECT call was in
Curl_http_connect, which is now missing in Curl_protocol_connect?
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3538625&group_id=976
Received on 2012-06-28