Opened 12 years ago
Closed 22 months ago
#259 closed Bug / Defect (wontfix)
NTLM proxy: received corrupted data from proxy server
Reported by: | ccoager | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | release 2.5.4 |
Component: | Networking | Version: | OpenVPN 2.3.0 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | proxy ntlm |
Cc: | Gert Döring |
Description
When attempting to connect through a ntlm proxy, the client error log shows "NTLM Proxy-Authorization phase 3 failed: received corrupted data from proxy server"
Wireshark shows "Malformed Packet (Exception occurred)" on the ntlmssp_negotiate packet.
Attachments (3)
Change History (20)
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
comment:3 Changed 12 years ago by
Cc: | Gert Döring added |
---|
comment:4 Changed 12 years ago by
Keywords: | ntlm added |
---|
comment:5 Changed 11 years ago by
I tried to port the patch from the mentioned forum thread to 2.3.2 and (at least tried to) integrate the patch from #172.
Maybe you could give this a try?
comment:6 Changed 11 years ago by
Uh, an answer to my question "does the patch in trac #172 fix this" would actually help me more than a new patch - especially as the #172 patch is already in 2.3.1.
So I'm a bit confused about this. Is this still a problem with 2.3.1 and 2.3.2?
The patch from the forum seems to be more intrusive than "just fixing a corrupted packet" - it seems to add more functionality to the NTML stuff. We might take this for 2.4, but for a pure bugfix, it would need some more explanation what is going on.
comment:7 Changed 11 years ago by
Priority: | critical → major |
---|
Is this still a problem in 2.3.2 and/or latest Git "master"?
comment:8 Changed 11 years ago by
Yeah. Looked at this ticket again - some more explanation what the patch actually does would be good to judge whether we need this in 2.3.3, want this for 2.4, or not at all...
comment:9 Changed 11 years ago by
Hi,
the patch basically change the initial NTLM handshake message for proxy servers
from "TlRMTVNTUAABAAAAAgIAAA==" to "TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=="
This message contains flags which are important for the connection.
i did not create the patch, but i have tested it and it works for me because my company force me to use a proxy server with NTLM authentication for all outgoing traffic.
i know that the creator of the patch has taken the new string from Firefox but i can't explain the additional characters in the string.
He has a Italian explanation for the problem on his Website
http://www.morzello.com/index.php/openvpn-ntlm-e-quel-proxy-infame/
comment:10 Changed 11 years ago by
Hi,
the patch I wrote is for using a basic implementation of unicode required for my Microsoft ISA Server that allows ntlmv2 authentication only.
Actually it does not implements the "full unicode" stuff since it is not able to manage extended characters (ie: "ì","ç",...)
I do not know the policies of the software update that adopted for the new versions, but I can gladly lend a hand to improve the code currently written.
I wonder if i can take a look to the dump file of the connection between the client and the proxy in order to understand in detail the information that is exchanged in the NTLM protocol.
thank you very much.
comment:11 Changed 10 years ago by
@stortoaranci
would it be possible for you to build a new patched 2.3.4 64-bit for me, as i need to tunnel through an isa-proxy?
thank you very much
comment:12 Changed 10 years ago by
Hi all,
I'm also interested in a solution for NTLM auth.
How is this going forward?
thank you very much
comment:13 Changed 9 years ago by
Milestone: | → release 2.5 |
---|
Is the patch ready for inclusion in Git master branch? Of so, my Windows "buildslave" would produce installers with the new NTLM functionality in no time.
comment:14 Changed 4 years ago by
Summary: | received corrupted data from proxy server → NTLM proxy: received corrupted data from proxy server |
---|
So, what's the state here? Is this still a problem in 2.4.9 / git master?
If yes, can we have a patch for "master" please? ntlm.c was cleaned up quite a bit over the last years - no functional changes (so old bugs might still be there) but code cleanup.
comment:15 Changed 4 years ago by
Milestone: | release 2.5 → release 2.5.3 |
---|
comment:16 Changed 3 years ago by
Milestone: | release 2.5.3 → release 2.5.4 |
---|
comment:17 Changed 22 months ago by
Resolution: | → wontfix |
---|---|
Status: | new → closed |
I assume this is no longer a problem, and close the ticket.
If people are still using NTLM auth and need a patch to make OpenVPN behave, please reopen (or open a GH issue).
This thread seems to indicate this has been an issue since 2.1. There is also a proposed patch for version 2.1.
https://forums.openvpn.net/topic7945-15.html