You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Simon Putz <si...@ironport.com> on 2008/03/13 15:11:05 UTC
[NEW BUG] proxy ntlm_auth fails when downgraded to HTTP/1.0
Hello,
I'm working on a case with a mutual customer and I've got the problem
that svn FIN's the connection when our proxy
replies with the 407 HTTP/1.0 containing the NTLM negotiate headers.
Looks like SVN ignores the proxy-connection:keep-alive header.
For ntlm auth to suceed the authentication must happen on the same socket.
I've already filed a bug on our side for downgrading the client to
HTTP/1.0 which is valid as per RFC, but doesn't do any good.
I used svn, version 1.4.6 (r28521) compiled Feb 29 2008, 15:39:52 while
repro'ing this.
Could someone check if this is still present in the latest (1.5) version
and/or point me at where in the svn code I can find the NTLM related
auth stuff?
I've attached a packet capture for reference.
Cheers,
Simon Putz
Re: [NEW BUG] proxy ntlm_auth fails when downgraded to HTTP/1.0
Posted by Joe Orton <jo...@redhat.com>.
On Thu, Mar 13, 2008 at 04:11:05PM +0100, Simon Putz wrote:
> I'm working on a case with a mutual customer and I've got the problem that
> svn FIN's the connection when our proxy
> replies with the 407 HTTP/1.0 containing the NTLM negotiate headers.
>
> Looks like SVN ignores the proxy-connection:keep-alive header.
The Proxy-Connection header is not defined by any RFC, and is not
supported by current versions of neon. The only RFC-defined method for
doing persistent connections with an HTTP/1.0 server/proxy is by using
the "Keep-Alive" token in Connection headers - see RFC 2068 section
19.7.1. neon does support that, and proxies should use that in
preference to, or at least in addition to, the non-standard
Proxy-Connection header.
Coincidentally (at least I presume it's a coincidence) Anatoly Techtonik
has tracked down a problem with Squid to the same root cause; apparently
there are quite a lot of people having issues with NTLM and proxies:
http://subversion.tigris.org/issues/show_bug.cgi?id=2693
It can be risky for a client to use Proxy-Connection, since it can break
in cases where you have multiple HTTP/1.0 proxies and only some which
understand the header. For future neon releases, I've added
Proxy-Connection support, though the response header is only honoured in
the case where a connection-auth scheme is in use (like NTLM).
Regards,
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org