Re: [squid-users] Bugs in IE digest proxy auth

From: Joshua Goodall <joshua@dont-contact.us>
Date: Sat, 28 May 2005 12:53:44 +1000

Hi Henrik,

On Fri, May 27, 2005 at 10:27:50AM +0200, Henrik Nordstrom wrote:
> Related question: What was the request-URI on the request line send by IE
> in the above? Was this escaped properly or where it using unescaped quote
> there as well?

The request-URI was similarly unescaped.

> Uncertain. nonce reuse is quite dependent on the client having support for
> this. It may obviously be the case that IE do have support for nonce reuse
> but for some reason refuses to do so with Squid but it's very hard to know
> outside Microsoft.

I wondered if there was some embrace-and-extended going on with
Digest auth, but I've reproduced all of these bugs using ISA Server
2004 as well. Ethereal shows that it's all the same on the wire
except for ISA using md5-sess.

> The only thing I can think of is to make sure there is persistent
> connections enabled. I could imagine that nonce reuse may be related to
> connection reuse in some clients.

I have an experimental hack that turns digest auth into a per-connection
authentication, a la NTLM. This cuts down on the excess 407 traffic.

> >This ACL effectively downgrades the user to using basic proxy auth
> >if using basic www auth.
>
> Interesting. So this worked around the problem for you?

Kind of. The user sees the following:

1. User browses web normally with Digest proxy auth
2. User visits a site requiring 401 www-authentication
3. User is challenged and enters their 401 credentials
4. User is then re-challenged to enter their Basic proxy credentials
5. User then continues browsing, but for the remainder of that
   session IE is using basic proxy authentication for all requests.

It's not an acceptable solution, because the password is now in the clear.
Oddly, it doesn't happen with SSL. I'll work through this with MS.

Notwithstanding the issues above, I have a six-figure userbase using
Digest proxy auth successfully for >1200 requests/sec. At some
point I'll seek authorisation to release our workarounds under the GPL.

Joshua.

-- 
Joshua Goodall                           "as modern as tomorrow afternoon"
joshua@roughtrade.net                                       - FW109
Received on Fri May 27 2005 - 20:54:28 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Jun 01 2005 - 12:00:03 MDT