[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

bug in squid proxy authentication?

From: Ulrich Eckhardt <eckhardt_at_satorlaser.com>
Date: 2007-03-13 15:28:12 CET

(Keep me CC'ed please, I'm currently not subscribed to this list)

Greetings!

Below is a mail I initially sent to the Subversion mailinglist, but I haven't
gotten any response from there yet, so I wanted to ask if you could help me
out perhaps, or at least help me determine where (Squid/NTLM/neon/Subversion)
the error is. Note that the svn client is using neon 0.26.

thanks!

Uli

>> original mail following >>

I'm currently trying to get a machine to access a repository via a proxy. The
details are:
- proxy is squid, with the REPORT MERGE MKACTIVITY CHECKOUT request types
added to the configuration. Note that 'PROPFIND' is not included, but
according to the FAQ it shouldn't need to.
- Subversion is a vanilla Debian/testing in version 1.4.2. ra_dav is compiled
in as access method. Note that initially the problems occurred with a MS
Windows machine, but were reproduced on Debian for better debugging tools.
- The proxy requires authentication. I have entered the same proxy in
konqueror on that machine and it automatically asks for a username and
password.
- The repository is http://stlport.svn.sourceforge.net/svnroot/stlport. I also
tried the same with https://. It works in both cases if I don't use the
proxy. It is also public, in case you want to try yourselves.

Now, what makes me suspect a bug is this: I have run svn with strace, and I
haven't seen any login attempts (or anything that looks like one). In fact
svn tries several times a PROPFIND and each time the proxy answers

  "HTTP/1.0 407 Proxy Authentication Required .."

..which is also the error message that svn displays (minus the "HTTP/1.0").
BTW: if you use a https:// URL, the error message is rather

  "Could not create SSL connection through proxy server .."

although the error message from the proxy is the same! This isn't exactly
helpful when trying to find out what is going wrong. Anyway, this is not the
immediate problem, I just wanted to mention it.

Now, using the neon-debug-flags and strace, I see that Subversion/Neon notices
that some authentication is required:

> ah_create, for Proxy-Authenticate
> ah_create, for WWW-Authenticate
> ah_post_send (#0), code is 407 (want 407), Proxy-Authenticate is NTLM,
> Basic realm="vProxy server" auth: Got challenge (code 407).
> auth: Ignoring 'NTLM' challenge.
> auth: Got 'Basic' challenge.
> auth: Trying Basic challenge...
> auth: Sending 'Basic' response.
> [...]
> ah_post_send (#10), code is 407 (want 407), Proxy-Authenticate is NTLM,
> Basic realm="vProxy server" auth: Got challenge (code 407).
> auth: Ignoring 'NTLM' challenge.
> auth: Got 'Basic' challenge.
> auth: Trying Basic challenge...
> auth: No challenges accepted.
> svn: PROPFIND request failed on '/svnroot/stlport'
> svn: PROPFIND of '/svnroot/stlport': 407 Proxy Authentication Required
> (http://stlport.svn.sourceforge.net)

The interesting thing here is that it only seems to consider the 'basic'
challenge and not NTLM. From the README I gather that Neon supports 'basic'
and 'digest' authentication, so NTLM is simply not implemented? I'm not sure
what the differences are, but if squid is configured to refuse the basic
variant, this will obviously fail. Since this is in a MS Windows network,
authentication is with the domain/username/password from the windows logon
(tried with konqueror). The squid docs have something to say about getting
those to work together, and it involves NTLM, but this is far beyond my
skills now.

Does anybody have a clue how I could pin down where the problem lies?

Thanks and a happy weekend!

Uli 

-- 
ML: http://subversion.tigris.org/mailing-list-guidelines.html
FAQ: http://subversion.tigris.org/faq.html
Docs: http://svnbook.red-bean.com/
Sator Laser GmbH
Geschäftsführer: Ronald Boers       Steuernummer: 02/892/02900 
Amtsgericht Hamburg HR B62 932      USt-Id.Nr.: DE183047360
**************************************************************************************
           Visit our website at <http://www.satorlaser.de/>
**************************************************************************************
Diese E-Mail einschließlich sämtlicher Anhänge ist nur für den Adressaten bestimmt und kann vertrauliche Informationen enthalten. Bitte benachrichtigen Sie den Absender umgehend, falls Sie nicht der beabsichtigte Empfänger sein sollten. Die E-Mail ist in diesem Fall zu löschen und darf weder gelesen, weitergeleitet, veröffentlicht oder anderweitig benutzt werden.
E-Mails können durch Dritte gelesen werden und Viren sowie nichtautorisierte Änderungen enthalten. Sator Laser GmbH ist für diese Folgen nicht verantwortlich.
**************************************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Mar 13 15:27:06 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.