Opened 7 years ago

Last modified 5 years ago

#259 new Bug / Defect

received corrupted data from proxy server

Reported by: ccoager Owned by:
Priority: major Milestone: release 2.5
Component: Networking Version: OpenVPN 2.3.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: proxy ntlm
Cc: Gert Döring

Description

When attempting to connect through a ntlm proxy, the client error log shows "NTLM Proxy-Authorization phase 3 failed: received corrupted data from proxy server"

Wireshark shows "Malformed Packet (Exception occurred)" on the ntlmssp_negotiate packet.

Attachments (3)

config.ovpn (323 bytes) - added by ccoager 7 years ago.
config
client.log (3.3 KB) - added by ccoager 7 years ago.
client log
fix_ntlm.patch (3.1 KB) - added by MaxMuster 7 years ago.
All credits to forum user "stortoaranci"

Download all attachments as: .zip

Change History (16)

comment:1 Changed 7 years ago by ccoager

This thread seems to indicate this has been an issue since 2.1. There is also a proposed patch for version 2.1.

https://forums.openvpn.net/topic7945-15.html

Changed 7 years ago by ccoager

Attachment: config.ovpn added

config

Changed 7 years ago by ccoager

Attachment: client.log added

client log

comment:2 Changed 7 years ago by Gert Döring

Hi,

could you please test whether the patch in trac#172 fixes this for you? From the description, this seems to be a duplicate of #172, and the patch has been integrated into the git version on March 7.

gert

comment:3 Changed 7 years ago by Gert Döring

Cc: Gert Döring added

comment:4 Changed 7 years ago by Samuli Seppänen

Keywords: ntlm added

comment:5 Changed 7 years ago by MaxMuster

I tried to port the patch from the mentioned forum thread to 2.3.2 and (at least tried to) integrate the patch from #172.

Maybe you could give this a try?

Changed 7 years ago by MaxMuster

Attachment: fix_ntlm.patch added

All credits to forum user "stortoaranci"

comment:6 Changed 6 years ago by Gert Döring

Uh, an answer to my question "does the patch in trac #172 fix this" would actually help me more than a new patch - especially as the #172 patch is already in 2.3.1.

So I'm a bit confused about this. Is this still a problem with 2.3.1 and 2.3.2?

The patch from the forum seems to be more intrusive than "just fixing a corrupted packet" - it seems to add more functionality to the NTML stuff. We might take this for 2.4, but for a pure bugfix, it would need some more explanation what is going on.

comment:7 Changed 6 years ago by Samuli Seppänen

Priority: criticalmajor

Is this still a problem in 2.3.2 and/or latest Git "master"?

comment:8 Changed 6 years ago by Gert Döring

Yeah. Looked at this ticket again - some more explanation what the patch actually does would be good to judge whether we need this in 2.3.3, want this for 2.4, or not at all... (asked in the forum thread for an explanation as well)

Last edited 6 years ago by Gert Döring (previous) (diff)

comment:9 Changed 6 years ago by cathal

Hi,
the patch basically change the initial NTLM handshake message for proxy servers
from "TlRMTVNTUAABAAAAAgIAAA==" to "TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=="

This message contains flags which are important for the connection.
i did not create the patch, but i have tested it and it works for me because my company force me to use a proxy server with NTLM authentication for all outgoing traffic.

i know that the creator of the patch has taken the new string from Firefox but i can't explain the additional characters in the string.

He has a Italian explanation for the problem on his Website
http://www.morzello.com/index.php/openvpn-ntlm-e-quel-proxy-infame/


comment:10 Changed 6 years ago by stortoaranci

Hi,

the patch I wrote is for using a basic implementation of unicode required for my Microsoft ISA Server that allows ntlmv2 authentication only.
Actually it does not implements the "full unicode" stuff since it is not able to manage extended characters (ie: "ì","ç",...)

I do not know the policies of the software update that adopted for the new versions, but I can gladly lend a hand to improve the code currently written.
I wonder if i can take a look to the dump file of the connection between the client and the proxy in order to understand in detail the information that is exchanged in the NTLM protocol.

thank you very much.

comment:11 Changed 6 years ago by rolandu

@stortoaranci

would it be possible for you to build a new patched 2.3.4 64-bit for me, as i need to tunnel through an isa-proxy?

thank you very much

comment:12 Changed 5 years ago by simu

Hi all,
I'm also interested in a solution for NTLM auth.
How is this going forward?
thank you very much

comment:13 Changed 5 years ago by Samuli Seppänen

Milestone: release 2.5

Is the patch ready for inclusion in Git master branch? Of so, my Windows "buildslave" would produce installers with the new NTLM functionality in no time.

Note: See TracTickets for help on using tickets.