Opened 11 years ago

Closed 10 years ago

#172 closed Bug / Defect (fixed)

NTLM auth does not work with SQUID proxy server

Reported by: pmcenery Owned by: Gert Döring
Priority: major Milestone:
Component: Networking Version: OpenVPN 2.3.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: NTLM SQUID


NTLM authentication fails with SQUID proxy server. In the password file, I have tried both DOMAIN\username, and username on its own, but both produce the same result.

Attached is a log of the failure. I have version 2.2.0, but 2.2.1 does not appear to have any changes listed for any NTLM functionality.

Happy to provide any assistance. I can probably set up a server to test against if anyone wants to look at this issue seriously...

Attachments (2)

error.txt (3.9 KB) - added by pmcenery 11 years ago.
Log Output
6-ntlm-fix.patch (751 bytes) - added by cn 11 years ago.
patch to fix this issue

Download all attachments as: .zip

Change History (6)

Changed 11 years ago by pmcenery

Attachment: error.txt added

Log Output

comment:1 Changed 11 years ago by pmcenery

If you have to use a SQUID proxy server with NTLM, then I'd recommend that you use a dedicated proxy client which is known to work - such as Cntlm (

Changed 11 years ago by cn

Attachment: 6-ntlm-fix.patch added

patch to fix this issue

comment:2 Changed 11 years ago by cn


i also stumbled over this issue and found the bug:

The problem is located in the file proxy.c within "establish_http_proxy_passthru": To keep buffers small long base64-encoded NTLM-Strings are truncated.

But the truncating is done on a wrong place:
base 64 strings can be cut every 4 chars. the buffer is 128 bytes - including the terminating \0, so the usable data is only 127 bytes. And decoding a 127 char base64 string fails... this is why the ntlm authentication fails in certain cases (long strings)...

I've also attached a patch that resolves this issue.



comment:3 Changed 10 years ago by Gert Döring

Owner: set to Gert Döring
Status: newassigned

taking this. thanks for the patch, and sorry for stalling.

patch will go into 2.3.0 and master (-devel)

comment:4 Changed 10 years ago by Gert Döring

Resolution: fixed
Status: assignedclosed

fix committed to master and release/2.3

commit f8ac53b98ed2513f1d80363b6fd2351f1b4ae511 (master)
commit 55058d4f96dfec96e9f0cad7802a5eaaf9a3301f (release/2.3)

Note: See TracTickets for help on using tickets.