Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
4.5.3
-
None
-
None
-
Client: Windows 8.1, Proxy: Squid 3.5.20 on Centos 7.0
Description
We have a test setup using Squid 3.5.20 as an authenticating proxy configured with NEGOTIATE+NTLM. When attempting to connect to a target host we get the following traceback:
java.lang.RuntimeException: Unexpected token
at org.apache.http.impl.auth.win.WindowsNegotiateScheme.parseChallenge(WindowsNegotiateScheme.java:152)
at org.apache.http.impl.auth.AuthSchemeBase.processChallenge(AuthSchemeBase.java:126)
at org.apache.http.impl.auth.HttpAuthenticator.handleAuthChallenge(HttpAuthenticator.java:137)
at org.apache.http.impl.execchain.MainClientExec.needAuthentication(MainClientExec.java:579)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:293)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
...
I've tracked this down to WindowsNegotiateScheme using the SPN HTTP/<target host name> to authenticate with the proxy rather than the SPN HTTP/<proxy host name>.
Applying https://github.com/apache/httpclient/pull/28 fixes the problem.
The request is from early 2015 and doesn't seem to have been applied due to a pending rewrite, however the bug still exists at 4.5.3.