RE: Commit 5841520b makes it impossible to connect to github from behind my company's firewall.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




From: Junio C Hamano [mailto:jch2355@xxxxxxxxx] On Behalf Of Junio C Hamano

> Enrique Tobis <Enrique.Tobis@xxxxxxxxxxxx> writes:

>> Hey!
>>
>> I'm really sorry to hear that.
>>
>> That change should enable more forms of authentication with your 
>> proxy, but it does cause libcurl to choose the one it finds most 
>> secure, according to the docs
>> (http://curl.haxx.se/libcurl/c/CURLOPT_HTTPAUTH.html) What kinds of 
>> authentication does your proxy use?

> Good line of thought.  The answer would reveal what non-working authentication form the proxy claims to support is chosen because libcurl considers  more secure than the one the user wants to use.
> I'd imagine that the next step after that would be to make the list of authentication forms configurable so that the user can say "hey my proxy claims to support this one but it does not work" to skip it?

> That sounds like a similar approach as what we did for SSL ciphers in f6f2a9e4 (http: add support for specifying an SSL cipher list,
2015-05-08) where some people had problems with certain cipher the server/client claimed to support when it was in fact broken.

> Thanks.

@Junio: I agree. From the post in the cygwin mailing list that Johan mentioned, the problem seems to be that the proxy supports NEGOTIATE, NTLM and Basic, and libcurl is choosing NEGOTIATE. That choice fails for that user.

There is something I don't understand, though. Johan must be configuring his proxy either a) through git config files; or b) through environment variables. Johan says his proxy uses NTLM authentication. If he is doing a), then my change should not have had any impact. We were already setting CURLOPT_PROXYAUTH to CURLAUTH_ANY in that case. If it's b), then his proxy couldn't have been using NTLM authentication. In the old code path, only _BASIC was available as an authentication mechanism. That default is what prompted me to make the change in the first place.

@Johan: how are you configuring your proxy? Git configuration or environment variables? Also, could you run GIT_CURL_VERBOSE=1 git pull and send the output. That should show the failing authentication method.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]