Opened 11 years ago

Closed 16 months ago

#259 closed Bug / Defect (wontfix)

NTLM proxy: received corrupted data from proxy server

Reported by: ccoager Owned by:
Priority: major Milestone: release 2.5.4
Component: Networking Version: OpenVPN 2.3.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: proxy ntlm
Cc: Gert Döring

Description

When attempting to connect through a ntlm proxy, the client error log shows "NTLM Proxy-Authorization phase 3 failed: received corrupted data from proxy server"

Wireshark shows "Malformed Packet (Exception occurred)" on the ntlmssp_negotiate packet.

Attachments (3)

config.ovpn (323 bytes) - added by ccoager 11 years ago.
config
client.log (3.3 KB) - added by ccoager 11 years ago.
client log
fix_ntlm.patch (3.1 KB) - added by MaxMuster 11 years ago.
All credits to forum user "stortoaranci"

Download all attachments as: .zip

Change History (20)

comment:1 Changed 11 years ago by ccoager

This thread seems to indicate this has been an issue since 2.1. There is also a proposed patch for version 2.1.

https://forums.openvpn.net/topic7945-15.html

Changed 11 years ago by ccoager

Attachment: config.ovpn added

config

Changed 11 years ago by ccoager

Attachment: client.log added

client log

comment:2 Changed 11 years ago by Gert Döring

Hi,

could you please test whether the patch in trac#172 fixes this for you? From the description, this seems to be a duplicate of #172, and the patch has been integrated into the git version on March 7.

gert

comment:3 Changed 11 years ago by Gert Döring

Cc: Gert Döring added

comment:4 Changed 11 years ago by Samuli Seppänen

Keywords: ntlm added

comment:5 Changed 11 years ago by MaxMuster

I tried to port the patch from the mentioned forum thread to 2.3.2 and (at least tried to) integrate the patch from #172.

Maybe you could give this a try?

Changed 11 years ago by MaxMuster

Attachment: fix_ntlm.patch added

All credits to forum user "stortoaranci"

comment:6 Changed 11 years ago by Gert Döring

Uh, an answer to my question "does the patch in trac #172 fix this" would actually help me more than a new patch - especially as the #172 patch is already in 2.3.1.

So I'm a bit confused about this. Is this still a problem with 2.3.1 and 2.3.2?

The patch from the forum seems to be more intrusive than "just fixing a corrupted packet" - it seems to add more functionality to the NTML stuff. We might take this for 2.4, but for a pure bugfix, it would need some more explanation what is going on.

comment:7 Changed 10 years ago by Samuli Seppänen

Priority: criticalmajor

Is this still a problem in 2.3.2 and/or latest Git "master"?

comment:8 Changed 10 years ago by Gert Döring

Yeah. Looked at this ticket again - some more explanation what the patch actually does would be good to judge whether we need this in 2.3.3, want this for 2.4, or not at all... (asked in the forum thread for an explanation as well)

Last edited 10 years ago by Gert Döring (previous) (diff)

comment:9 Changed 10 years ago by cathal

Hi,
the patch basically change the initial NTLM handshake message for proxy servers
from "TlRMTVNTUAABAAAAAgIAAA==" to "TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=="

This message contains flags which are important for the connection.
i did not create the patch, but i have tested it and it works for me because my company force me to use a proxy server with NTLM authentication for all outgoing traffic.

i know that the creator of the patch has taken the new string from Firefox but i can't explain the additional characters in the string.

He has a Italian explanation for the problem on his Website
http://www.morzello.com/index.php/openvpn-ntlm-e-quel-proxy-infame/


comment:10 Changed 10 years ago by stortoaranci

Hi,

the patch I wrote is for using a basic implementation of unicode required for my Microsoft ISA Server that allows ntlmv2 authentication only.
Actually it does not implements the "full unicode" stuff since it is not able to manage extended characters (ie: "ì","ç",...)

I do not know the policies of the software update that adopted for the new versions, but I can gladly lend a hand to improve the code currently written.
I wonder if i can take a look to the dump file of the connection between the client and the proxy in order to understand in detail the information that is exchanged in the NTLM protocol.

thank you very much.

comment:11 Changed 10 years ago by rolandu

@stortoaranci

would it be possible for you to build a new patched 2.3.4 64-bit for me, as i need to tunnel through an isa-proxy?

thank you very much

comment:12 Changed 10 years ago by simu

Hi all,
I'm also interested in a solution for NTLM auth.
How is this going forward?
thank you very much

comment:13 Changed 9 years ago by Samuli Seppänen

Milestone: release 2.5

Is the patch ready for inclusion in Git master branch? Of so, my Windows "buildslave" would produce installers with the new NTLM functionality in no time.

comment:14 Changed 4 years ago by Gert Döring

Summary: received corrupted data from proxy serverNTLM proxy: received corrupted data from proxy server

So, what's the state here? Is this still a problem in 2.4.9 / git master?

If yes, can we have a patch for "master" please? ntlm.c was cleaned up quite a bit over the last years - no functional changes (so old bugs might still be there) but code cleanup.

comment:15 Changed 3 years ago by Gert Döring

Milestone: release 2.5release 2.5.3

comment:16 Changed 3 years ago by Gert Döring

Milestone: release 2.5.3release 2.5.4

comment:17 Changed 16 months ago by Gert Döring

Resolution: wontfix
Status: newclosed

I assume this is no longer a problem, and close the ticket.

If people are still using NTLM auth and need a patch to make OpenVPN behave, please reopen (or open a GH issue).

Note: See TracTickets for help on using tickets.