hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Wright (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1488) Built-in NTLM engine fails to authenticate against Squids ntlm_fake_auth, JCIFS doesn't
Date Fri, 21 Mar 2014 12:47:43 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13943015#comment-13943015

Karl Wright commented on HTTPCLIENT-1488:

Hi Oleg,

That means that the Type 2 message from the fake NTLM code on squid is malformed.  Here's
the code:

    private static byte[] readSecurityBuffer(final byte[] src, final int index) throws NTLMEngineException
        final int length = readUShort(src, index);
        final int offset = readULong(src, index + 4);
        if (src.length < offset + length) {
            throw new NTLMEngineException(
                    "NTLM authentication - buffer too small for data item");

We *could* just ignore errors of this kind, but I think that would not necessarily be the
right thing to do.

> Built-in NTLM engine fails to authenticate against Squids ntlm_fake_auth, JCIFS doesn't
> ---------------------------------------------------------------------------------------
>                 Key: HTTPCLIENT-1488
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1488
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.3.3
>         Environment: Squid 4.3.3
> JCIFS 1.3.17
>            Reporter: Andreas Sewe
>         Attachments: builtin.pcap.gz, builtin.txt, jcfis.pcap.gz, jcifs.txt
> I used the provided ClientProxyAuthentication example <https://hc.apache.org/httpcomponents-client-4.2.x/httpclient/examples/org/apache/http/examples/client/ClientProxyAuthentication.java>
to authenticate with NTML against a local Squid instance, using its ntlm_fake_auth helper
(only does the handshake, all credentials are considered valid).
> Unfortunately, this fails with the NTLM engine built into version 4.3.3 (also tested
with 4.2.1: same result). Following the guidance of <http://hc.apache.org/httpcomponents-client-ga/ntlm.html>,
I got it working with JCIFS. Is Squid not implementing NTLM as expected by HttpComponents?
> I added two Wireshark captures to show the differences in handshake behaviour between
the built-in and JCIFS engines. Hope that helps.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message