Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

digest authentication with sspi does not increment "nc-field" #870

Closed
aroth-arsoft opened this issue Jun 10, 2016 · 14 comments
Closed

digest authentication with sspi does not increment "nc-field" #870

aroth-arsoft opened this issue Jun 10, 2016 · 14 comments
Assignees
@captain-caveman2k
Labels
HTTP needs-info stale

Comments

@aroth-arsoft
Copy link

I run the following command line:
curl -v --digest http://user1:user1@test.webdav.org/auth-digest/ http://user1:user1@test.webdav.org/auth-digest/

Here's the output:

*   Trying 140.211.166.111...
* Connected to test.webdav.org (140.211.166.111) port 80 (#0)
* Server auth using Digest with user 'user1'
> GET /auth-digest/ HTTP/1.1
> Host: test.webdav.org
> User-Agent: curl/7.47.1
> Accept: */*
>
< HTTP/1.1 401 Authorization Required
< Date: Fri, 10 Jun 2016 08:57:42 GMT
< Server: Apache/2.0.54 (Debian GNU/Linux) DAV/2 SVN/1.3.2
< WWW-Authenticate: Digest realm="test", nonce="aIREu+g0BQA=ca1579cf20437773ebe8a89dd825fb4d80684e44", algorithm=MD5, domain="/aut
h-digest/", qop="auth"
< Content-Length: 401
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host test.webdav.org left intact
* Issue another request to this URL: 'http://user1:user1@test.webdav.org/auth-digest/'
* Found bundle for host test.webdav.org: 0x91c9a8 [can pipeline]
* Re-using existing connection! (#0) with host test.webdav.org
* Connected to test.webdav.org (140.211.166.111) port 80 (#0)
* Server auth using Digest with user 'user1'
> GET /auth-digest/ HTTP/1.1
> Host: test.webdav.org
> Authorization: Digest username="user1",realm="test",nonce="aIREu+g0BQA=ca1579cf20437773ebe8a89dd825fb4d80684e44",uri="/auth-dige
st/",cnonce="3e8e3811d0ec47f6486245c7ac4885b0",nc=00000001,algorithm=MD5,response="5915003afbd62144881e033b523b52af",qop="auth"
> User-Agent: curl/7.47.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: Fri, 10 Jun 2016 08:57:42 GMT
< Server: Apache/2.0.54 (Debian GNU/Linux) DAV/2 SVN/1.3.2
< Content-Length: 210
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /auth-digest/ was not found on this server.</p>
</body></html>
* Connection #0 to host test.webdav.org left intact
* Found bundle for host test.webdav.org: 0x91c9a8 [can pipeline]
* Re-using existing connection! (#0) with host test.webdav.org
* Connected to test.webdav.org (140.211.166.111) port 80 (#0)
* Server auth using Digest with user 'user1'
> GET /auth-digest/ HTTP/1.1
> Host: test.webdav.org
> Authorization: Digest username="user1",realm="test",nonce="aIREu+g0BQA=ca1579cf20437773ebe8a89dd825fb4d80684e44",uri="/auth-dige
st/",cnonce="aab0a65e337d37c79cb2ad7abf7a6bf6",nc=00000001,algorithm=MD5,response="d816f8407a85bad6061e4a6838292f3d",qop="auth"
> User-Agent: curl/7.47.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: Fri, 10 Jun 2016 08:57:42 GMT
< Server: Apache/2.0.54 (Debian GNU/Linux) DAV/2 SVN/1.3.2
< Content-Length: 210
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /auth-digest/ was not found on this server.</p>
</body></html>
* Connection #0 to host test.webdav.org left intact

When the first connection attempt is done the digest challenge is received from the server and afterwards used to retry the request with digest authentication. For the second URL the previous connection is re-used and the same nonce as for the first request. The second request should/must include a nc=00000002 instead of 1 because the same nonce value is used the second time. When using a curl version build with OpenSSL this is done automatically, but with WinSSPI this increment is missing.
I observed that this behavior results in 401-errors for the second request on an AXIS IP camera.


curl 7.49.1-DEV (Windows) libcurl/7.49.1-DEV WinSSL zlib/1.2.7
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp smtp smtps telnet tftp
Features: SSPI Kerberos SPNEGO NTLM SSL libz
@bagder bagder added the HTTP label Jun 10, 2016
@bagder
Copy link
Member

bagder commented Jun 10, 2016

ping @captain-caveman2k!

This is clearly data that looks like it is handled by the windows API but really isn't clear to me how the nc counter is supposed to get increased!

@captain-caveman2k
Copy link
Contributor

@bagder I will take a look at it ;-)

@captain-caveman2k captain-caveman2k self-assigned this Jun 20, 2016
@aroth-arsoft
Copy link
Author

Any clues yet how to fix this? Missing Windows API parameter, flag or function call?

mkhon added a commit to mkhon/curl that referenced this issue Dec 31, 2016
@mkhon
Disable Digest SSP as it does not increment nonce-count properly.
9de47fe 
Refs curl#870
@mkhon
Copy link
Contributor

mkhon commented Dec 31, 2016
edited
Loading

I looked at wdigest.dll (which implements digest sspi) from Windows 2003 Server and it does not seem to support tracking and incrementing nonce-count at all.

mkhon added a commit to mkhon/curl that referenced this issue Dec 31, 2016
@mkhon
Disable Digest SSP as it does not increment nonce-count properly.
8fa2577 
Refs curl#870
@mkhon mkhon mentioned this issue Dec 31, 2016
Closed
@mkhon mkhon mentioned this issue Feb 6, 2017
Closed
@mkhon
Copy link
Contributor

mkhon commented Feb 6, 2017
edited
Loading

With the fix from #1251

curl -v --digest http://user1:user1@test.webdav.org/auth-digest/ http://user1:user1@test.webdav.org/auth-digest/ http://user1:user1@test.webdav.org/auth-digest/ >NUL
*   Trying 140.211.166.111...
* TCP_NODELAY set
* Connected to test.webdav.org (140.211.166.111) port 80 (#0)
* Server auth using Digest with user 'user1'
> GET /auth-digest/ HTTP/1.1
> Host: test.webdav.org
> User-Agent: curl/7.52.1
> Accept: */*
> 
< HTTP/1.1 401 Authorization Required
< Date: Mon, 06 Feb 2017 17:50:26 GMT
< Server: Apache/2.0.54 (Debian GNU/Linux) DAV/2 SVN/1.3.2
< WWW-Authenticate: Digest realm="test", nonce="ckk1ROBHBQA=65f79e6cb76cc010f0cdde0964fcc20ef0725500", algorithm=MD5, domain="/auth-digest/", qop="auth"
< Content-Length: 401
< Content-Type: text/html; charset=iso-8859-1
< 
* Ignoring the response-body
* Curl_http_done: called premature == 0
* Connection #0 to host test.webdav.org left intact
* Issue another request to this URL: 'http://user1:user1@test.webdav.org/auth-digest/'
* Found bundle for host test.webdav.org: 0x2bc100 [can pipeline]
* Re-using existing connection! (#0) with host test.webdav.org
* Connected to test.webdav.org (140.211.166.111) port 80 (#0)
* Server auth using Digest with user 'user1'
> GET /auth-digest/ HTTP/1.1
> Host: test.webdav.org
> Authorization: Digest username="user1",realm="test",nonce="ckk1ROBHBQA=65f79e6cb76cc010f0cdde0964fcc20ef0725500",uri="/auth-digest/",cnonce="843e50ab16cae66faa86163b3f5dcaea",nc=00000001,algorithm=MD5,response="f757c347921791eefa901f03098b495b",qop="auth"
> User-Agent: curl/7.52.1
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Date: Mon, 06 Feb 2017 17:50:26 GMT
< Server: Apache/2.0.54 (Debian GNU/Linux) DAV/2 SVN/1.3.2
< Content-Length: 210
< Content-Type: text/html; charset=iso-8859-1
< 
* Curl_http_done: called premature == 0
* Connection #0 to host test.webdav.org left intact
* Found bundle for host test.webdav.org: 0x2bc100 [can pipeline]
* Re-using existing connection! (#0) with host test.webdav.org
* Connected to test.webdav.org (140.211.166.111) port 80 (#0)
* Server auth using Digest with user 'user1'
> GET /auth-digest/ HTTP/1.1
> Host: test.webdav.org
> Authorization: Digest username="user1",realm="test",nonce="ckk1ROBHBQA=65f79e6cb76cc010f0cdde0964fcc20ef0725500",uri="/auth-digest/",cnonce="843e50ab16cae66faa86163b3f5dcaea",nc=00000002,algorithm=MD5,response="365449807aed572ae4ec58ad662d04ae",qop="auth"
> User-Agent: curl/7.52.1
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Date: Mon, 06 Feb 2017 17:50:26 GMT
< Server: Apache/2.0.54 (Debian GNU/Linux) DAV/2 SVN/1.3.2
< Content-Length: 210
< Content-Type: text/html; charset=iso-8859-1
< 
* Curl_http_done: called premature == 0
* Connection #0 to host test.webdav.org left intact
* Found bundle for host test.webdav.org: 0x2bc100 [can pipeline]
* Re-using existing connection! (#0) with host test.webdav.org
* Connected to test.webdav.org (140.211.166.111) port 80 (#0)
* Server auth using Digest with user 'user1'
> GET /auth-digest/ HTTP/1.1
> Host: test.webdav.org
> Authorization: Digest username="user1",realm="test",nonce="ckk1ROBHBQA=65f79e6cb76cc010f0cdde0964fcc20ef0725500",uri="/auth-digest/",cnonce="843e50ab16cae66faa86163b3f5dcaea",nc=00000003,algorithm=MD5,response="4a926a32c171cc68c2dff9cd8d92e781",qop="auth"
> User-Agent: curl/7.52.1
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Date: Mon, 06 Feb 2017 17:50:26 GMT
< Server: Apache/2.0.54 (Debian GNU/Linux) DAV/2 SVN/1.3.2
< Content-Length: 210
< Content-Type: text/html; charset=iso-8859-1
< 
* Curl_http_done: called premature == 0
* Connection #0 to host test.webdav.org left intact

jay pushed a commit that referenced this issue Feb 20, 2017
@mkhon @jay
digest_sspi: Fix nonce-count generation in HTTP digest
f77dabe 
- on the first invocation: keep security context returned by
  InitializeSecurityContext()

- on subsequent invocations: use MakeSignature() instead of
  InitializeSecurityContext() to generate HTTP digest response

Bug: #870
Reported-by: Andreas Roth

Closes #1251
@jay jay added the needs-info label Feb 20, 2017
@jay
Copy link
Member

jay commented Feb 20, 2017

@aroth-arsoft I just landed Max's fix for this issue, which works for me. Can you please try f77dabe with your AXIS IP Camera and let us know what happens? Thanks

@aroth-fastprotect
Copy link

I've just checked with the AXIS cameras: With the f77dabe the authentication works fine.

Thanks for fixing it!

@jay
Copy link
Member

jay commented Feb 21, 2017

@mkhon It looks like there is still an issue if Windows default credentials --user : is used. I have noticed MakeSignature fails when I use my default credentials so in that case the nonce-count doesn't increase. I'm not sure why it is, whether it's something with this machine or what.

* digest_sspi: MakeSignature failed, error 0x80090304

0x80090304 is SEC_E_INTERNAL_ERROR which is in my Windows Error file as "The Local Security Authority cannot be contacted". It isn't a documented error code for MakeSignature. I tried allocating the CredHandle credentials on the heap and not freeing it to see if that would make a difference but it doesn't. There is a GetLastError code of 1394 (0x572) ERROR_NO_USER_SESSION_KEY, which is of limited value since MakeSignature doesn't document checking that code.

Any ideas? These are the phony replies I'm testing with:

HTTP/1.1 401 Authorization Required
Date: Mon, 06 Feb 2017 17:50:26 GMT
Server: Apache/2.0.54 (Debian GNU/Linux) DAV/2 SVN/1.3.2
WWW-Authenticate: Digest realm="test", nonce="ckk1ROBHBQA=65f79e6cb76cc010f0cdde0964fcc20ef0725500", algorithm=MD5, domain="/auth-digest/", qop="auth"
Content-Length: 0
Content-Type: text/html; charset=iso-8859-1


HTTP/1.1 301
Content-Length: 0
Location: http://localhost:8080/foo

@mkhon
Copy link
Contributor

mkhon commented Feb 21, 2017

@jay I'll check what can be done

@mkhon
Copy link
Contributor

mkhon commented May 22, 2017
edited
Loading

@jay, how do you test with phony replies?

I suspect that using Digest auth with default Windows credentials requires valid Digest auth/AD setup.
In my test IIS+Digest auth setup --user : works with pre-built curl binaries:

> curl --version
curl 7.53.1 (x86_64-w64-mingw32) libcurl/7.53.1 WinSSL zlib/1.2.8 WinIDN libssh2/1.7.0_DEV
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz
> curl -v --digest --user : http://localhost/digest-auth/
* timeout on name lookup is not supported
*   Trying ::1...
* TCP_NODELAY set
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to localhost (::1) port 80 (#0)
* Server auth using Digest with user ''
> GET /digest-auth/ HTTP/1.1
> Host: localhost
> User-Agent: curl/7.53.1
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Cache-Control: private
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/7.5
< WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v112ef8507e0ba6e21dc278b08254f18720e662a3eebd2d201b7b160efc03cf8d0262c1efc828fead96a32b67f59bb2ada46f197f1393e6dd3",charset=utf-8,realm="Digest"
< X-Powered-By: ASP.NET
< Date: Mon, 22 May 2017 11:04:54 GMT
< Content-Length: 6301
< 
* Ignoring the response-body
{ [6301 bytes data]
100  6301  100  6301    0     0   410k      0 --:--:-- --:--:-- --:--:--  410k
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost/digest-auth/'
* Found bundle for host localhost: 0x51f0e0 [can pipeline]
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 80 (#0)
* Server auth using Digest with user ''
> GET /digest-auth/ HTTP/1.1
> Host: localhost
> Authorization: Digest username="max",realm="xxx.com",nonce="+Upgraded+v112ef8507e0ba6e21dc278b08254f18720e662a3eebd2d201b7b160efc03cf8d0262c1efc828fead96a32b67f59bb2ada46f197f1393e6dd3",uri="/digest-auth/",cnonce="+Upgraded+v15c1d89757bd55776df6e2788dcdca922c341619fd24361d7b787c276f755a4e0",nc=00000001,algorithm=MD5-sess,response="67def91f2079d799bf592cc94c15ec91",qop="auth",charset=utf-8,hashed-dirs="service-name,channel-binding",service-name="",channel-binding="00000000000000000000000000000000"
> User-Agent: curl/7.53.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=UTF-8
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Mon, 22 May 2017 11:04:54 GMT
< Content-Length: 266
< 
{ [266 bytes data]
100   266  100   266    0     0  17733      0 --:--:-- --:--:-- --:--:-- 17733<html><head><title>localhost - /digest-auth/</title></head><body><H1>localhost - /digest-auth/</H1><hr>

<pre><A HREF="/">[To Parent Directory]</A><br><br> 5/22/2017  5:44 PM          168 <A HREF="/digest-auth/web.config">web.config</A><br></pre><hr></body></html>
* Connection #0 to host localhost left intact

@jay
Copy link
Member

jay commented May 22, 2017
edited
Loading

@jay, how do you test with phony replies?

I'm running socat on localhost and pasting in the replies
Client: curl --digest -u : -v -L localhost:8000
Server: socat tcp-listen:8000,reuseaddr,fork -

Reply to the first request with this:

HTTP/1.1 401 Authorization Required
Date: Mon, 06 Feb 2017 17:50:26 GMT
Server: Apache/2.0.54 (Debian GNU/Linux) DAV/2 SVN/1.3.2
WWW-Authenticate: Digest realm="test", nonce="ckk1ROBHBQA=65f79e6cb76cc010f0cdde0964fcc20ef0725500", algorithm=MD5, domain="/auth-digest/", qop="auth"
Content-Length: 0
Content-Type: text/html; charset=iso-8859-1

Reply to the second request with this (change the URL to be on the same connection):

HTTP/1.1 301
Content-Length: 0
Location: http://localhost:8000/foo

In the w/SSPI case curl doesn't increment the nonce count, instead starting from a new context because MakeSignature failed.

However in the w/o SSPI case the nc is incremented to 2, as seen in this output:

curl 7.54.1-DEV (i386-pc-win32) libcurl/7.54.1-DEV OpenSSL/1.0.2k nghttp2/1.21.1
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS Debug Largefile NTLM SSL HTTP2 HTTPS-proxy

##### socat in/out:

GET / HTTP/1.1
Host: localhost:8000
User-Agent: curl/7.54.1-DEV
Accept: */*

HTTP/1.1 401 Authorization Required
Date: Mon, 06 Feb 2017 17:50:26 GMT
Server: Apache/2.0.54 (Debian GNU/Linux) DAV/2 SVN/1.3.2
WWW-Authenticate: Digest realm="test", nonce="ckk1ROBHBQA=65f79e6cb76cc010f0cdde0964fcc20ef0725500", algorithm=MD5, domain="/auth-digest/", qop="auth"
Content-Length: 0
Content-Type: text/html; charset=iso-8859-1

GET / HTTP/1.1
Host: localhost:8000
Authorization: Digest username="", realm="test", nonce="ckk1ROBHBQA=65f79e6cb76cc010f0cdde0964fcc20ef0725500", uri="/", cnonce="Y2QzMTM1MGRhNjYyZWEyMTNhODczN2JiYjJkNmRlYzY=", nc=00000001, qop=auth, response="d3d6beb8f1e1fa51061403b069a5de3d", algorithm="MD5"
User-Agent: curl/7.54.1-DEV
Accept: */*

HTTP/1.1 301
Content-Length: 0
Location: http://localhost:8000/foo

GET /foo HTTP/1.1
Host: localhost:8000
Authorization: Digest username="", realm="test", nonce="ckk1ROBHBQA=65f79e6cb76cc010f0cdde0964fcc20ef0725500", uri="/foo", cnonce="Y2QzMTM1MGRhNjYyZWEyMTNhODczN2JiYjJkNmRlYzY=", nc=00000002, qop=auth, response="3589c95cab5e4ce993772312d24b8e9f", algorithm="MD5"
User-Agent: curl/7.54.1-DEV
Accept: */*

In my test IIS+Digest auth setup --user : works with pre-built curl binaries

It may appear to work but have you actually seen the nonce-count increase, or does it instead do the fallback when MakeSignature fails?

@mkhon
Copy link
Contributor

mkhon commented May 23, 2017
edited
Loading

@jay there is no fallback there:

curl -v --digest --user : http://localhost/digest-auth/ http://localhost/digest-auth/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
* Server auth using Digest with user ''
> GET /digest-auth/ HTTP/1.1
> Host: localhost
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Cache-Control: private
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/7.5
< WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v112ef8507e0ba6e21dc278b08254f1872ede88e819bd3d201749c4a87e9db4a15d27ee79a32247d1081dea7f18cefb6a4f04fe53ca4ae102c",charset=utf-8,realm="Digest"
< X-Powered-By: ASP.NET
< Date: Tue, 23 May 2017 08:06:39 GMT
< Content-Length: 6301
< 
* Ignoring the response-body
{ [6301 bytes data]
100  6301  100  6301    0     0   198k      0 --:--:-- --:--:-- --:--:--  198k
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost/digest-auth/'
* Found bundle for host localhost: 0x735358 [can pipeline]
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 80 (#0)
* Server auth using Digest with user ''
> GET /digest-auth/ HTTP/1.1
> Host: localhost
> Authorization: Digest username="max",realm="xxx.com",nonce="+Upgraded+v112ef8507e0ba6e21dc278b08254f1872ede88e819bd3d201749c4a87e9db4a15d27ee79a32247d1081dea7f18cefb6a4f04fe53ca4ae102c",uri="/digest-auth/",cnonce="+Upgraded+v15c1d89757bd55776df6e2788dcdca9225a09ad11d3954ba31f084c46ead0813d",nc=00000001,algorithm=MD5-sess,response="e89bba71f76d3f6d08f97d817982b970",qop="auth",charset=utf-8,hashed-dirs="service-name,channel-binding",service-name="",channel-binding="00000000000000000000000000000000"
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=UTF-8
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Tue, 23 May 2017 08:06:39 GMT
< Content-Length: 266
< 
{ [266 bytes data]
100   266  100   266    0     0   8580      0 --:--:-- --:--:-- --:--:--  8580<html><head><title>localhost - /digest-auth/</title></head><body><H1>localhost - /digest-auth/</H1><hr>

<pre><A HREF="/">[To Parent Directory]</A><br><br> 5/22/2017  5:44 PM          168 <A HREF="/digest-auth/web.config">web.config</A><br></pre><hr></body></html>
* Connection #0 to host localhost left intact
* Found bundle for host localhost: 0x735358 [can pipeline]
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 80 (#0)
* Server auth using Digest with user ''
> GET /digest-auth/ HTTP/1.1
> Host: localhost
> Authorization: Digest username="max",realm="xxx.com",nonce="+Upgraded+v112ef8507e0ba6e21dc278b08254f1872ede88e819bd3d201749c4a87e9db4a15d27ee79a32247d1081dea7f18cefb6a4f04fe53ca4ae102c",uri="/digest-auth/",cnonce="+Upgraded+v15c1d89757bd55776df6e2788dcdca9225a09ad11d3954ba31f084c46ead0813d",nc=00000002,algorithm=MD5-sess,response="7274437c0ee135e6955efbd6cbedf9ce",qop="auth",charset=utf-8
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=UTF-8
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Tue, 23 May 2017 08:06:39 GMT
< Content-Length: 266
< 
{ [266 bytes data]
100   266  100   266    0     0    266      0  0:00:01 --:--:--  0:00:01   266<html><head><title>localhost - /digest-auth/</title></head><body><H1>localhost - /digest-auth/</H1><hr>

<pre><A HREF="/">[To Parent Directory]</A><br><br> 5/22/2017  5:44 PM          168 <A HREF="/digest-auth/web.config">web.config</A><br></pre><hr></body></html>
* Connection #0 to host localhost left intact

As you see nonce-count is nc=00000002 in the second request.
So I think there is no problem here and the issue can be closed.

@jay
Copy link
Member

jay commented May 24, 2017

@mkhon Your example works here. The difference is yours uses MD5-sess and mine uses just MD5. If you change your example to use just MD5 you'll likely experience the same problem where MakeSignature fails, but only in the case of -u :. I have re-read the MS documentation involved and I cannot find any indication as to why.

@stale
Copy link

stale bot commented Nov 20, 2017

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Nov 20, 2017
@stale stale bot closed this as completed Dec 4, 2017
@lock lock bot locked as resolved and limited conversation to collaborators May 6, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@captain-caveman2k captain-caveman2k

Labels
HTTP needs-info stale
Milestone
No milestone
Development

No branches or pull requests
6 participants
@bagder @aroth-fastprotect @jay @captain-caveman2k @mkhon @aroth-arsoft