> "Chemolli Francesco (USI)" wrote:
>
> > This emerged when Robert and I were attempting to perform
> > upstream connection pinning to work around the deficiencies of
> > MS's protocol.
> > This does NOT depend on Squid. MSIE performs the same when using
> > MS's own Proxy product.
> >
> > Solution? Bitch with the site webmaster or provide workarounds via
> > proxy.pac.
>
> Ok. So lets drop the idea of pinning as the usefullnes of if
> it will go
> away by time. But we still have the problem of a web site
> with NTLM enabled
> and older IE browsers or transparent proxies. Here it would
> be helpful if
> Squid at least filtered out NTLM from the offered schemes
> before replying
> to the client as Squid cannot proxy the NTLM authentication
> if attempted..
Or, squid could act as a NTLM client, performing a ntlm-to-basic
translation... there is a smallish python proxy doing that.
> We have two options for webserver NTLM auth:
>
> a) Connection pinning
>
> b) Filter out the NTLM scheme before replying to client
>
> I think one of the two should be implemented.
Both could be actually. Suggested algo:
1) If both Basic and NTLM are offered, leave all through, AND implement
connection pinning.
2) If only NTLM is offered, also offer Basic, and perform basic-to-ntlm
translation.
I think it would be a biggish and dirt work, but it could be
helpful to all non-windows users access crappy MS sites.
Of course, it remains to be seen what happens when Win2k usage becomes
widespread. As always with MS, it's like trying to hit a moving target.
-- /kinkieReceived on Tue Aug 21 2001 - 08:14:14 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:14 MST