Recently (after the pipelining changes were pushed to git) a couple of server authentication tests started failing for me when testing through a HTTP proxy (Privoxy).
Connections on which the challenge arrived weren't reused to send the credentials, causing the test to loop until reaching the max-client-connections limit on the proxy. An excerpt from test67 (the first failing test) after adding a couple of additional debug messages: 13:07:56.161373 == Info: Connection #0 to host 10.0.0.1 left intact 13:07:56.161404 == Info: Issue another request to this URL: 'http://10.0.0.1:8990/67' 13:07:56.161431 == Info: STATE: PERFORM => CONNECT handle 0x801c7b088; line 1526 (connection #-5000) 13:07:56.161604 == Info: Found bundle for host 10.0.0.1: 0x801c7a468 13:07:56.161626 == Info: Checking proxy bits 13:07:56.161640 == Info: Connection match 13:07:56.161653 == Info: we wantNTLM 13:07:56.161667 == Info: Not forcing reuse 13:07:56.161796 == Info: About to connect() to proxy 10.0.0.1 port 8118 (#1) 13:07:56.161894 == Info: Trying 10.0.0.1... 13:07:56.162096 == Info: Adding handle: conn: 0x801cd5d08 13:07:56.162116 == Info: Adding handle: send: 0 13:07:56.162132 == Info: Adding handle: recv: 0 13:07:56.162161 == Info: Curl_addHandleToPipeline: length: 1 13:07:56.162178 == Info: 0x801c3f008 is at send pipe head 13:07:56.162200 == Info: - Conn 0 (0x801cd5608) send_pipe: 0, recv_pipe: 0 13:07:56.162220 == Info: - Conn 1 (0x801cd5d08) send_pipe: 1, recv_pipe: 0 13:07:56.162241 == Info: STATE: CONNECT => WAITCONNECT handle 0x801c7b088; line 1048 (connection #1) 13:07:56.162277 == Info: Connected to 10.0.0.1 (10.0.0.1) port 8118 (#1) 13:07:56.162317 == Info: STATE: WAITCONNECT => DO handle 0x801c7b088; line 1167 (connection #1) 13:07:56.162459 == Info: Server auth using NTLM with user 'testuser' 13:07:56.162795 => Send header, 205 bytes (0xcd) While the correct proxy connection is considered, it isn't reused as credentialsMatch is only set for direct connections. The attached patch moves the check out of the "no proxy" block and gets most of the tests I'm expecting to work through a proxy working again, namely: 67 68 89 156 159 267 1100 2025 2026 2028 2029 2030 2031 In my opinion the fact that the credentials previously were send on a new connection (instead of restarting the authentication dance from scratch) could be considered another bug, but the attached patch obviously doesn't address this. Fabian
From 041059e6367964c7114ced420adb37a6fcbab345 Mon Sep 17 00:00:00 2001 From: Fabian Keil <[email protected]> Date: Fri, 29 Mar 2013 13:18:40 +0100 Subject: [PATCH] Let ConnectionExists() mark credential matches for proxied connections as well Previously it only compared credentials if the requested needle connection wasn't using a proxy. This caused NTLM authentication failures when using proxies as the authentication code wasn't send on the connection where the challenge arrived. --- lib/url.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/lib/url.c b/lib/url.c index 8c8f8b0..6a90930 100644 --- a/lib/url.c +++ b/lib/url.c @@ -2977,6 +2977,18 @@ ConnectionExists(struct SessionHandle *data, continue; } + if((needle->handler->protocol & CURLPROTO_FTP) || + ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) { + /* This is FTP or HTTP+NTLM, verify that we're using the same name + and password as well */ + if(!strequal(needle->user, check->user) || + !strequal(needle->passwd, check->passwd)) { + /* one of them was different */ + continue; + } + credentialsMatch = TRUE; + } + if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL || (needle->bits.httpproxy && check->bits.httpproxy && needle->bits.tunnel_proxy && check->bits.tunnel_proxy && @@ -3010,17 +3022,6 @@ ConnectionExists(struct SessionHandle *data, continue; } } - if((needle->handler->protocol & CURLPROTO_FTP) || - ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) { - /* This is FTP or HTTP+NTLM, verify that we're using the same name - and password as well */ - if(!strequal(needle->user, check->user) || - !strequal(needle->passwd, check->passwd)) { - /* one of them was different */ - continue; - } - credentialsMatch = TRUE; - } match = TRUE; } } -- 1.8.1.5
signature.asc
Description: PGP signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
