New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http_negotiate: do not close connection until negotiation is completed #3275

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
2 participants
@elia-tufarolo
Contributor

elia-tufarolo commented Nov 15, 2018

Aim of this PR is to fix the HTTP POST using CURLAUTH_NEGOTIATE.

When connecting to an HTTP URL through a proxy that accepts Negotiation based authorization, libcURL fails to login to the proxy. The Negotiate protocol requires two round trips with the proxy. During the first one the client provides the Negotiate flags and the proxy answers with a Negotiate challenge, returning also HTTP 407. In the second round trip, the client provides the answer to the challenge and, if the proxy accepts it, it returns HTTP 200.
By setting authstatus->done always to true after emitting the Negotiate authorization header, so even after just emitting the header for the first request, libcURL closes the connection after the first round trip. Then it reopens it and executes the second roundtrip, thus answering to the challenge: the proxy, receiving a new connection, loses the context and is unable to associate the challenge response to the original challenge. For this reason it returns again 407.

The change is aimed at setting authstatus->done to true only if the client thinks it is at the last stage of its negotiation, to prevent libcURL from closing the socket while the negotiation is still ongoing. The negotiation can be considered as complete when the final status of the SPNEGO decoding is a completion status (GSS_S_COMPLETE for GSSAPI and SEC_E_OK for SSPI).

Please review.

http_negotiate: do not close connection until negotiation is completed
Aim of this PR is to fix the HTTP POST using CURLAUTH_NEGOTIATE.
@bagder

bagder approved these changes Nov 15, 2018

Makes sense to me!

@bagder

This comment has been minimized.

Member

bagder commented Nov 16, 2018

Thanks!

@bagder bagder closed this in 07ebaf8 Nov 16, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment