You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Karl Wright (JIRA)" <ji...@apache.org> on 2014/03/21 13:47:44 UTC

[jira] [Comment Edited] (HTTPCLIENT-1488) Built-in NTLM engine fails to authenticate against Squids ntlm_fake_auth, JCIFS doesn't

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13943015#comment-13943015 ] 

Karl Wright edited comment on HTTPCLIENT-1488 at 3/21/14 12:46 PM:
-------------------------------------------------------------------

Hi Oleg,

That means that the Type 2 message from the fake NTLM code on squid is malformed.  Here's the code:

{code}
    private static byte[] readSecurityBuffer(final byte[] src, final int index) throws NTLMEngineException {
        final int length = readUShort(src, index);
        final int offset = readULong(src, index + 4);
        if (src.length < offset + length) {
            throw new NTLMEngineException(
                    "NTLM authentication - buffer too small for data item");
        }
   ...
{code}

We *could* just ignore errors of this kind, but I think that would not necessarily be the right thing to do.



was (Author: kwright@metacarta.com):
Hi Oleg,

That means that the Type 2 message from the fake NTLM code on squid is malformed.  Here's the code:

>>>>>>
    private static byte[] readSecurityBuffer(final byte[] src, final int index) throws NTLMEngineException {
        final int length = readUShort(src, index);
        final int offset = readULong(src, index + 4);
        if (src.length < offset + length) {
            throw new NTLMEngineException(
                    "NTLM authentication - buffer too small for data item");
        }
   ...
<<<<<<

We *could* just ignore errors of this kind, but I think that would not necessarily be the right thing to do.


> Built-in NTLM engine fails to authenticate against Squids ntlm_fake_auth, JCIFS doesn't
> ---------------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1488
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1488
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.3.3
>         Environment: Squid 4.3.3
> JCIFS 1.3.17
>            Reporter: Andreas Sewe
>         Attachments: builtin.pcap.gz, builtin.txt, jcfis.pcap.gz, jcifs.txt
>
>
> I used the provided ClientProxyAuthentication example <https://hc.apache.org/httpcomponents-client-4.2.x/httpclient/examples/org/apache/http/examples/client/ClientProxyAuthentication.java> to authenticate with NTML against a local Squid instance, using its ntlm_fake_auth helper (only does the handshake, all credentials are considered valid).
> Unfortunately, this fails with the NTLM engine built into version 4.3.3 (also tested with 4.2.1: same result). Following the guidance of <http://hc.apache.org/httpcomponents-client-ga/ntlm.html>, I got it working with JCIFS. Is Squid not implementing NTLM as expected by HttpComponents?
> I added two Wireshark captures to show the differences in handshake behaviour between the built-in and JCIFS engines. Hope that helps.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org