Closed
Bug 203813
Opened 22 years ago
Closed 22 years ago
Digest auth does not work with SSL proxy
Categories
(Core :: Networking, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla1.4final
People
(Reporter: gernot, Assigned: darin.moz)
References
Details
(Keywords: topembed+)
Attachments
(2 files, 1 obsolete file)
|
3.63 KB,
text/plain
|
Details | |
|
23.77 KB,
patch
|
skasinathan
:
review+
alecf
:
superreview+
asa
:
approval1.4+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 Galeon/1.2.10 (X11; Linux i686; U;) Gecko/20030429
Build Identifier: Mozilla/5.0 Galeon/1.2.10 (X11; Linux i686; U;) Gecko/20030429
While authenticating thru a proxy with digest MD5 the first Response for a POST
Request is calculated wrong. The Browser sends "Request-Method: POST" while
calculating the H(A2) with Method GET.
Reproducible: Always
Steps to Reproduce:
1. Authenticate to an Proxy who forces Digest MD5
2. Try to send an POST Request
3.
Actual Results:
The Browser prompts for username/password (provided that the proxy doesnt work
around)
Expected Results:
calculate the first Response with POST instead of GET
Actually I don't know a proxy that supports Authentication Digest. I found that
out while developing my own Proxy. Any other Browser I've tried works as
expected (at least in that situation).
Additionally I think there is an other issue with Authentication. RFC2617 says:
The user agent MUST choose to use one of the challenges with the strongest
auth-scheme it understands... etc.pp.
Actually none of the tested Browsers does so.
So this is a problem specifically w/ proxy-auth using digest in a certain
situation? Is there any possibility the problem is more general?
Summary: First POST Request calculates wrong Digest → Proxy: First POST Request calculates wrong Digest
|
Reporter | |
Comment 3•22 years ago
|
||
I think it could also happen while authenticating to a server but I haven't
tested it so far. I will do so when time permits. Would it help if I send my
proxies debugging messages?
that would be great. long logs should be in an attachment. (so few people admin
their proxies now, I often forget to ask!)
|
|
Reporter | |
Comment 5•22 years ago
|
||
Ok, this is what the proxy says. Look at the end, after recalculating the
expected response with GET instead of POST everything is ok.
|
|
Reporter | |
Comment 6•22 years ago
|
||
Mozilla shows the same behavior when connecting to a SSL Server. The response is
calculated with GET instead of CONNECT.
|
Assignee | |
Comment 7•22 years ago
|
||
hmm.. i thought that this should be fixed. maybe the CONNECT vs GET case is not,
but as for the POST vs GET case, i thought it was fixed in bug 155155.
Depends on: 155155
|
|
Reporter | |
Comment 8•22 years ago
|
||
Ok, I recompiled my mozilla 1.3 with the bugfix from 155155. The POST vs GET
case is fixed but the CONNECT vs GET case is not. More than this, the CONNECT vs
GET case is now a CONNECT vs GET/POST case.
Getnot: Is it possible for you to post the testcase in this bug? thanks!
|
|
Assignee | |
Comment 10•22 years ago
|
||
this patch solves the problem by having nsHttpDigestAuth check for proxy-auth
and a HTTPS channel. if those conditions are met, then it assumes the method
is CONNECT.
|
|
Assignee | |
Comment 11•22 years ago
|
||
Comment on attachment 122604 [details] [diff] [review]
v1 patch
straightforward patch. includes these changes:
1- make nsHttpDigestAuth check for HTTPS and proxy-auth. if conditions met,
then assume method is CONNECT. else method is nsIHttpChannel::requestMethod.
2- fix small bug in SetAuthorizationHeader in which |ident| was not be assigned
in the basic auth case. this would result in an extra server trip if the user
identity happened to be invalid.
3- minor footprint improvements in nsHttpDigestAuth since i happened to be
touching the file.
Attachment #122604 -
Flags: superreview?(bz-bugspam)
Attachment #122604 -
Flags: review?(suresh)
|
|
Assignee | |
Comment 12•22 years ago
|
||
nominating for 1.4 beta. this patch fixes a bug that prevents digest auth from
working correctly with SSL proxies. this is not a regression. we've had this
bug ever since digest auth was initially added to mozilla.
Severity: normal → major
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: blocking1.4b?
Priority: -- → P2
Summary: Proxy: First POST Request calculates wrong Digest → Proxy: First CONNECT Request calculates wrong Digest
Target Milestone: --- → mozilla1.4beta
|
||
Comment 13•22 years ago
|
||
Comment on attachment 122604 [details] [diff] [review]
v1 patch
+ in boolean aProxyAuth,
it would maybe be nice to document this parameter (both places)
|
||
Comment 14•22 years ago
|
||
Comment on attachment 122604 [details] [diff] [review]
v1 patch
r-suresh!
nit: please add a comment about aProxyAuth in nsIHttpAuthenticator.idl. thanks!
Attachment #122604 -
Flags: review?(suresh) → review+
|
|
||
Comment 15•22 years ago
|
||
biesi beat me to that ;-)
|
|
Assignee | |
Comment 16•22 years ago
|
||
comments added to my local tree.. thx for noticing that guys!
|
|
Assignee | |
Comment 17•22 years ago
|
||
actually, that last patch didn't work... this one does ;-)
tested against an apache v2 proxy server (mod_proxy) with digest auth.
|
|
Assignee | |
Updated•22 years ago
|
Attachment #122604 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•22 years ago
|
Attachment #122604 -
Flags: superreview?(bz-bugspam)
|
|
Assignee | |
Comment 18•22 years ago
|
||
test proxy server is "foo:foo@unagi.mcom.com:80"
|
|
Assignee | |
Updated•22 years ago
|
Attachment #122649 -
Flags: superreview?(bz-bugspam)
Attachment #122649 -
Flags: review?(suresh)
|
|
||
Comment 19•22 years ago
|
||
Comment on attachment 122649 [details] [diff] [review]
v1.1 patch
looks good to me. Also, I tested this patch and it works fine.
r-suresh.
Attachment #122649 -
Flags: review?(suresh) → review+
|
|
Assignee | |
Comment 20•22 years ago
|
||
Comment on attachment 122649 [details] [diff] [review]
v1.1 patch
alec: can you please review this patch. i'm hoping to land this for 1.4 final.
thx!
Attachment #122649 -
Flags: superreview?(bz-bugspam) → superreview?(alecf)
|
|
Assignee | |
Updated•22 years ago
|
Flags: blocking1.4?
Summary: Proxy: First CONNECT Request calculates wrong Digest → Digest auth does not work with SSL proxy
|
||
Updated•22 years ago
|
Flags: blocking1.4b?
|
|
Assignee | |
Updated•22 years ago
|
|
|
Reporter | |
Comment 21•22 years ago
|
||
mozilla1.4beta + v1.1 patch
looks good
|
||
Comment 22•22 years ago
|
||
Comment on attachment 122649 [details] [diff] [review]
v1.1 patch
sr=alecf
Attachment #122649 -
Flags: superreview?(alecf) → superreview+
|
|
Assignee | |
Comment 23•22 years ago
|
||
Comment on attachment 122649 [details] [diff] [review]
v1.1 patch
seeking drivers approval for 1.4 final.. fixes an important bug (digest auth
not working with SSL proxies). patch is relatively low risk.
Attachment #122649 -
Flags: approval1.4?
|
||
Updated•22 years ago
|
|
|
||
Comment 24•22 years ago
|
||
Comment on attachment 122649 [details] [diff] [review]
v1.1 patch
a=asa (on behalf of drivers) for checkin to 1.4.
Attachment #122649 -
Flags: approval1.4? → approval1.4+
|
|
Assignee | |
Comment 25•22 years ago
|
||
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
|
|
||
Updated•22 years ago
|
Flags: blocking1.4?
You need to log in
before you can comment on or make changes to this bug.
Description
•