Re: SASL LOGIN mechanism

[Patrick Monnerat]

On 02/14/2018 09:04 PM, Ray Satiro wrote:



Obviously the server does not require the password because the client
certificate authentication takes precedence; the AUTH command is
however needed before being able to use other commands. This looks
like a deviance from the description
(https://tools.ietf.org/html/draft-murchison-sasl-login-00), that has
been written "a posteriori" (probably by reverse engineering) and has
not become a standard. This document does not describe the case when
the password is not needed.

Interesting. If it's EXTERNAL then aren't you already logged in?
No, you're not. Servers that allow EXTERNAL should receive an explicit 
AUTH EXTERNAL command to be logged in.
This server does not support EXTERNAL, but behaves as such with other 
authentication methods (this is quite clever since many clients do not 
support EXTERNAL).
Where is LOGIN prioritized over PLAIN and is there any effect of that 
on this issue?


Priority is determined by the order of "else if" blocks starting at 
https://github.com/curl/curl/blob/43a50a2580db2bfb28483a96964ae27b584472da/lib/curl_sasl.c#L292. 
The only effect would be PLAIN will be chosen by curl instead of LOGIN 
if both are supported by the server. This does not impact the "no LOGIN 
password" problem, but will avoid using LOGIN if PLAIN is available.

---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: SASL LOGIN mechanism

[Ray Satiro]

On 2/13/2018 7:48 PM, Patrick Monnerat wrote:
> I've recently been facing a special case: a pop3 server (dovecot) with
> a TLS-upgraded connection and client certificate does not require the
> password when the LOGIN authentication mechanism is used, effectively
> behaving as if it was an EXTERNAL authentication.
>
> > AUTH LOGIN
> < + VXNlcm5hbWU6
> > dXNlcg==
> < +OK Logged in.
>
> Obviously the server does not require the password because the client
> certificate authentication takes precedence; the AUTH command is
> however needed before being able to use other commands. This looks
> like a deviance from the description
> (https://tools.ietf.org/html/draft-murchison-sasl-login-00), that has
> been written "a posteriori" (probably by reverse engineering) and has
> not become a standard. This document does not describe the case when
> the password is not needed.

Interesting. If it's EXTERNAL then aren't you already logged in? I'd ask
dovecot team if that's what they intended.

>
> Currently, curl stops with CURLE_LOGIN_DENIED, treating the positive
> response as bad because a continuation is unconditionally expected.
>
> Should we support this ? If yes, the fix is ready.
>
>
> In addition I would set the LOGIN mechanism a lower priority than the
> PLAIN one, as advised in the document mentioned above.
>
> OK for these changes ? 

Where is LOGIN prioritized over PLAIN and is there any effect of that on
this issue?


---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: Callback for socket options in curl + c-ares

[Francisco Sedano Crippa (fsedanoc)]

Hi folks,
I went ahead and created a patch to provide a new libcurl CB, that will be 
called just before a new resolver is called, and the resolver data (channel in 
case of cares) is passed. This solves the problem perfectly for my use case.
 
Initially I thought about just adding a new easy_getinfo option to retrieve it, 
but since libcurl can create easy_handles on it's own, I feel this callback 
approach is a safer option.

Are you guys OK with that approach? If that's ok I can send the pull request 
for review.

Thanks,

. .:|:.:|:. Francisco Sedano  | CCIE 14859, Tech Lead Software Engineering | 
CSG Enterprise Access and Services Group (EASG)
 
On 14.02.18, 00:54, "curl-library on behalf of Francisco Sedano Crippa 
(fsedanoc)"  
wrote:

Hello Daniel,

I feel it would be useful in some other cases - for example dealing with 
multi-vrf sockets, currently you can bind the libcurl socket to any vrf you 
want, but no way to do that with the underlying c-ares.

Wouldn't be enough to provide access to the c-ares channel (which is in 
curl_easy->state.resolver if I'm not wrong)? Once I create my easy socket and 
the c-ares channel is created, I could just use 
ares_set_socket_configure_callback on the channel and I'd be done. Anything 
else I'm missing?

Thanks,


. .:|:.:|:. Francisco Sedano  | CCIE 14859, Tech Lead Software Engineering 
| CSG Enterprise Access and Services Group (EASG)
 
On 13.02.18, 23:49, "curl-library on behalf of Daniel Stenberg" 
 wrote:

On Tue, 13 Feb 2018, Francisco Sedano Crippa (fsedanoc) wrote:

> Ideally I’d like to setup a callback with 
> ares_set_socket_configure_callback(), but in order to do so, I need 
access 
> to internal libcurl c-ares channel, which is embedded in the 
Curl_easy 
> structure.
>
> Is there any way to access such c-ares channel so I can properly 
intercept 
> c-ares socket usage, like we can do with CURLOPT_OPENSOCKETFUNCTION 
in 
> libcurl?

No, that's something we've not felt the need for before... I can't 
think of 
any other way to offer such a feature than to add a special and 
dedicated "set 
socket options" callback for c-ares or perhaps rather for "the resolver 
back-end". (There's work ongoing in making the resolver back-end 
totally 
pluggable which then possibly also appreciate such an ability.)

-- 

  / daniel.haxx.se


---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html


---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: SFTP error when using proxy with curl

[Dan Fandrich]

On Wed, Feb 14, 2018 at 05:24:11PM +0530, Nazeem Shereef wrote:
> I can connect to sftp server through the same proxy using SFTP command. So the
> issue is not with the proxy server.
> 
> It is a socks proxy and if I use an HTTPS proxy I can connect to the sftp
> server via curl. So does this means curl won't support SOCKS proxy?

curl supports many variants of SOCKS proxies for most protocols, but the logs
show that you've specified an HTTP proxy. There are different options to
specify SOCKS.

>>> Dan
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: SFTP error when using proxy with curl

[Nazeem Shereef]

I can connect to sftp server through the same proxy using SFTP command. So
the issue is not with the proxy server.

It is a socks proxy and if I use an HTTPS proxy I can connect to the sftp
server via curl. So does this means curl won't support SOCKS proxy?

On 14 Feb 2018 3:31 pm, "Daniel Stenberg"  wrote:

On Wed, 14 Feb 2018, Nazeem Shereef wrote:

CONNECT my-ftp-server.tld:22 HTTP/1.1
>>
>
* Proxy CONNECT aborted
>

Your proxy didn't allow you to do a CONNECT to that server on that port.


-- 

 / daniel.haxx.se
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: SFTP error when using proxy with curl

[Daniel Stenberg]

On Wed, 14 Feb 2018, Nazeem Shereef wrote:


CONNECT my-ftp-server.tld:22 HTTP/1.1



* Proxy CONNECT aborted


Your proxy didn't allow you to do a CONNECT to that server on that port.

--

 / daniel.haxx.se
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: SFTP error when using proxy with curl

[Nazeem Shereef]

Compiled the latest version 7.58.0 and now different error. please advice.



# ./curl -V

curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.0.1e zlib/1.2.3
libssh2/1.8.0

Release-Date: 2018-01-24

Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp
scp sftp smb smbs smtp smtps telnet tftp

Features: AsynchDNS Largefile NTLM NTLM_WB SSL libz UnixSockets HTTPS-proxy





# curl  -vvv -x my-socks-proxy.tld:1080 sftp://my-ftp-server.tld/ -u
ftp-userEnter host password for user 'ftp-user':

* Trying 10.10.10.51...

* TCP_NODELAY set

* Connected to my-socks-proxy.tld (10.10.10.51) port 1080 (#0)

* allocate connect buffer!

* Establish HTTP proxy tunnel to my-ftp-server.tld:22

* Server auth using Basic with user 'ftp-user'

> CONNECT my-ftp-server.tld:22 HTTP/1.1

> Host: my-ftp-server.tld:22

> User-Agent: curl/7.58.0

> Proxy-Connection: Keep-Alive

>

* Proxy CONNECT aborted

* CONNECT phase completed!

* Connection #0 to host my-socks-proxy.tld left intact

On 14 Feb 2018 1:32 pm, "Daniel Stenberg"  wrote:

On Wed, 14 Feb 2018, Nazeem Shereef wrote:

Installed latest curl available for RHEL6(curl-7.31.0-23.2.x86_64) but it
> doesn't have sftp support
>

You need a "libssh2-dev" package (or a name similar to that) to build curl
with libssh2 support.

But note that curl 7.31.0 is also old (approaching 5 years). I would rather
suggest you build from a release tarball instead.


-- 

 / daniel.haxx.se
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: SFTP error when using proxy with curl

[Kamil Dudka]

On Wednesday, February 14, 2018 8:48:50 AM CET Nazeem Shereef wrote:
> Installed latest curl available for RHEL6(curl-7.31.0-23.2.x86_64)

Available where?

You do not seem to be using any packages provided by Red Hat, neither
the upstream distribution of curl.  I am afraid you are out of support
here.

Kamil
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: SFTP error when using proxy with curl

[Daniel Stenberg]

On Wed, 14 Feb 2018, Nazeem Shereef wrote:

Installed latest curl available for RHEL6(curl-7.31.0-23.2.x86_64) but it 
doesn't have sftp support


You need a "libssh2-dev" package (or a name similar to that) to build curl 
with libssh2 support.


But note that curl 7.31.0 is also old (approaching 5 years). I would rather 
suggest you build from a release tarball instead.


--

 / daniel.haxx.se
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html