You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by Simon Putz <si...@ironport.com> on 2008/03/13 15:11:05 UTC

[NEW BUG] proxy ntlm_auth fails when downgraded to HTTP/1.0

Hello,

I'm working on a case with a mutual customer and I've got the problem 
that svn FIN's the connection when our proxy
replies with the 407 HTTP/1.0 containing the NTLM negotiate headers.

Looks like SVN ignores the proxy-connection:keep-alive header.

For ntlm auth to suceed the authentication must happen on the same socket.

I've already filed a bug on our side for downgrading the client to 
HTTP/1.0 which is valid as per RFC, but doesn't do any good.

I used svn, version 1.4.6 (r28521) compiled Feb 29 2008, 15:39:52 while 
repro'ing this.
Could someone check if this is still present in the latest (1.5) version 
and/or point me at where in the svn code I can find the NTLM related 
auth stuff?

I've attached a packet capture for reference.

Cheers,

Simon Putz

Re: [NEW BUG] proxy ntlm_auth fails when downgraded to HTTP/1.0

Posted by Joe Orton <jo...@redhat.com>.

On Thu, Mar 13, 2008 at 04:11:05PM +0100, Simon Putz wrote:
> I'm working on a case with a mutual customer and I've got the problem that 
> svn FIN's the connection when our proxy
> replies with the 407 HTTP/1.0 containing the NTLM negotiate headers.
>
> Looks like SVN ignores the proxy-connection:keep-alive header.

The Proxy-Connection header is not defined by any RFC, and is not 
supported by current versions of neon.  The only RFC-defined method for 
doing persistent connections with an HTTP/1.0 server/proxy is by using 
the "Keep-Alive" token in Connection headers - see RFC 2068 section 
19.7.1.  neon does support that, and proxies should use that in 
preference to, or at least in addition to, the non-standard 
Proxy-Connection header.

Coincidentally (at least I presume it's a coincidence) Anatoly Techtonik 
has tracked down a problem with Squid to the same root cause; apparently 
there are quite a lot of people having issues with NTLM and proxies:

  http://subversion.tigris.org/issues/show_bug.cgi?id=2693

It can be risky for a client to use Proxy-Connection, since it can break 
in cases where you have multiple HTTP/1.0 proxies and only some which 
understand the header.  For future neon releases, I've added 
Proxy-Connection support, though the response header is only honoured in 
the case where a connection-auth scheme is in use (like NTLM).

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org