Search squid archive

Re: [squid-users] Bugs in IE digest proxy auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 28 May 2005, Joshua Goodall wrote:


I wondered if there was some embrace-and-extended going on with
Digest auth, but I've reproduced all of these bugs using ISA Server
2004 as well. Ethereal shows that it's all the same on the wire
except for ISA using md5-sess.
Yes.. some day we need to reverse engineer how ISA Server gets the Digest MD5-sess H(A1) from AD allowing Squid to integrate similarily. 


The only thing I can think of is to make sure there is persistent
connections enabled. I could imagine that nonce reuse may be related to
connection reuse in some clients.


I have an experimental hack that turns digest auth into a per-connection
authentication, a la NTLM.  This cuts down on the excess 407 traffic.
Generally works, but you will run into trouble if there is child proxies on your network. If there is you risk getting requests assigned to the wrong user simply because the child proxy reused a persistent previously "authenticated" connection. 


1. User browses web normally with Digest proxy auth
2. User visits a site requiring 401 www-authentication
3. User is challenged and enters their 401 credentials
4. User is then re-challenged to enter their Basic proxy credentials
5. User then continues browsing, but for the remainder of that
  session IE is using basic proxy authentication for all requests.
Right.. the browser then sticks to always sending Basic so there is never a Digest challenge sent by Squid for the rest of this session.. 


It's not an acceptable solution, because the password is now in the clear.
Oddly, it doesn't happen with SSL. I'll work through this with MS.
MSIE have already have (and still has) it's fair share of authentication issues for the CONNECT method so it is not odd things acts differently for CONNECT than the other methods. 


Notwithstanding the issues above, I have a six-figure userbase using
Digest proxy auth successfully for >1200 requests/sec.


Nice, nice indeed!
At some point I'll seek authorisation to release our workarounds under the GPL. 

Looking forward to see your contributions.

Regards
Henrik
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux