search

bclzvs / serf

Automatically exported from code.google.com/p/serf
0 stars 0 forks source link

Endless loop with ssl tunnel over proxy with KeepAlive off and Negotiate #119

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Setup a proxy server with Negotiate-Kerberos, and KeepAlive Off.
2. Use serf_get to connect to a https server through your proxy

What is the expected output? What do you see instead?
Serf_get hangs in an endless loop, opening new connections and always retrying 
the same Negotiate handshake.

The issue is reported on the serf mailing list here:
https://groups.google.com/d/msg/serf-dev/sFg3bv-cgi4/Q8xOkj_RAOcJ

This was tested with serf trunk@2115.

Original issue reported on code.google.com by lieven.govaerts@gmail.com on 9 Aug 2013 at 3:57

GoogleCodeExporter commented 9 years ago 
The actual apache config to reproduce this issue:

<VirtualHost *:8080>
  ServerName "lgo-ubuntu1"
  MaxKeepAliveRequests 100
  ProxyRequests On
  ProxyVia On

  KeepAlive Off

  <Proxy *>
     Order deny,allow
     Deny from all
     Allow from all

    Require valid-user
    AuthType Kerberos
    KrbAuthoritative On
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    KrbServiceName HTTP/lgo-ubuntu1.dev
    KrbAuthRealm DEV
    Krb5Keytab "/etc/apache2/auth/apache2.keytab"
</Proxy>

</VirtualHost>

Original comment by lieven.govaerts@gmail.com on 9 Aug 2013 at 4:07

GoogleCodeExporter commented 9 years ago 
This issue should be fixed by r2282. 
When authentication against a Proxy using Negotiate (and in principle also NTLM 
on Windows), the authentication handshake should now work even when the proxy 
doesn't keep the connection alive after a 407 response.

Confirmation before I close this issue is welcome.
L.

Original comment by lieven.govaerts@gmail.com on 29 Jan 2014 at 10:22

GoogleCodeExporter commented 9 years ago 
serf_get now crashes with a segfault:

gdb output:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 28804300 (LWP 100543/serf_get)]
0x28086053 in serf__setup_request_spnego_auth (peer=HOST, code=0, 
conn=0x28880018,
    request=0x2881a320, method=0x804b74e "GET", uri=0x28817a58 "/manager/html", hdrs_bkt=0x28820120)
    at auth/auth_spnego.c:471
471         switch (gss_info->pstate) {

(gdb) where
#0  0x28086053 in serf__setup_request_spnego_auth (peer=HOST, code=0, 
conn=0x28880018,
    request=0x2881a320, method=0x804b74e "GET", uri=0x28817a58 "/manager/html", hdrs_bkt=0x28820120)
    at auth/auth_spnego.c:471
#1  0x28077f69 in serf_request_bucket_request_create (request=0x2881a320, 
method=0x804b74e "GET",
    uri=0x28817a58 "/manager/html", body=0x0, allocator=0x28824058) at outgoing.c:1774
#2  0x0804a2ca in setup_request (request=0x2881a320, setup_baton=0xbfbfd930, 
req_bkt=0x2881a32c,
    acceptor=0x2881a338, acceptor_baton=0x2881a33c, handler=0x2881a340, handler_baton=0x2881a344,
    pool=0x28824018) at test/serf_get.c:313
#3  0x28076847 in setup_request (request=0x2881a320) at outgoing.c:748
#4  0x280769ff in write_to_connection (conn=0x28880018) at outgoing.c:843
#5  0x28077419 in serf__process_connection (conn=0x28880018, events=4) at 
outgoing.c:1363
#6  0x28074561 in serf_event_trigger (s=0x28816130, serf_baton=0x28880020, 
desc=0x28816490)
    at context.c:233
#7  0x280746fc in serf_context_run (ctx=0x28816130, duration=2000000000, 
pool=0x28816018)
    at context.c:307
#8  0x0804b070 in main (argc=2, argv=0xbfbfda3c) at test/serf_get.c:761

Original comment by 1983-01...@gmx.net on 30 Jan 2014 at 8:43

GoogleCodeExporter commented 9 years ago 
Rolling back to 2281 make the crash go away. (Test have been made with Heimdal 
on FreeBSD 9.2).

Original comment by 1983-01...@gmx.net on 30 Jan 2014 at 8:46

GoogleCodeExporter commented 9 years ago 
This is Negotiate authentication to the server, which I modified but didn't 
test yet. 
Strictly speaking this crash is good news, because it means Negotiate 
authentication to the proxy succeeded. :)

I'll test & fix this tonight.

Original comment by lieven.govaerts@gmail.com on 30 Jan 2014 at 10:59

GoogleCodeExporter commented 9 years ago 
r2284 should resolve this crash

Original comment by lieven.govaerts@gmail.com on 30 Jan 2014 at 7:55

GoogleCodeExporter commented 9 years ago 
I have made following tests with serf_get:

1. HTTP + SPNEGO on intranet: works as expected
2. HTTPS + SPNEGO on intranet: works as expected
3. HTTP + proxy with SPNEGO to google.de: works as expected
4. HTTPS + proxy with SPNEGO to google.de: works as expected (finally!)

Issue has been resolved.

Any chances that this will land as next-version-dependency of subversion.

Original comment by 1983-01...@gmx.net on 31 Jan 2014 at 9:00

GoogleCodeExporter commented 9 years ago 
Cool, thanks for the feedback!

This can be back ported to 1.3.x, so I'll try to include this in an upcoming 
release before the next svn release.

Original comment by lieven.govaerts@gmail.com on 31 Jan 2014 at 12:53

GoogleCodeExporter commented 9 years ago 
This fix will be included in serf 1.3.4 later this week.
Lieven

Original comment by lieven.govaerts@gmail.com on 4 Feb 2014 at 8:13

GoogleCodeExporter commented 9 years ago 
Great, I will double-check this for the 1.3.x branch.

Original comment by 1983-01...@gmx.net on 5 Feb 2014 at 8:56