[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [NEW BUG] proxy ntlm_auth fails when downgraded to HTTP/1.0

From: Joe Orton <jorton_at_redhat.com>
Date: Thu, 13 Mar 2008 20:14:45 +0000

On Thu, Mar 13, 2008 at 04:11:05PM +0100, Simon Putz wrote:
> I'm working on a case with a mutual customer and I've got the problem that
> svn FIN's the connection when our proxy
> replies with the 407 HTTP/1.0 containing the NTLM negotiate headers.
>
> Looks like SVN ignores the proxy-connection:keep-alive header.

The Proxy-Connection header is not defined by any RFC, and is not
supported by current versions of neon. The only RFC-defined method for
doing persistent connections with an HTTP/1.0 server/proxy is by using
the "Keep-Alive" token in Connection headers - see RFC 2068 section
19.7.1. neon does support that, and proxies should use that in
preference to, or at least in addition to, the non-standard
Proxy-Connection header.

Coincidentally (at least I presume it's a coincidence) Anatoly Techtonik
has tracked down a problem with Squid to the same root cause; apparently
there are quite a lot of people having issues with NTLM and proxies:

  http://subversion.tigris.org/issues/show_bug.cgi?id=2693

It can be risky for a client to use Proxy-Connection, since it can break
in cases where you have multiple HTTP/1.0 proxies and only some which
understand the header. For future neon releases, I've added
Proxy-Connection support, though the response header is only honoured in
the case where a connection-auth scheme is in use (like NTLM).

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-03-13 21:29:22 CET

This is an archived mail posted to the Subversion Dev mailing list.