On Fri, 2003-07-11 at 12:03, mwestern@sola.com.au wrote:
> Hi Robert,
>
> >you can simply allow adobe based on a browser regex before your auth
> >triggering http_access lines.
>
> that's what i'm hoping to do to get around this problem. have you managed
> to do this? i've not experimented yet as i didn't know what adobe tells
> squid what browser it is. i'm going to tcpdump eventually and see if i can
> figure it out.
Yup. tcpdump -s 1500 -X port 8080 host <srcip you are testing from>
that should do it for you.
> >As far as the adobe tool working with plain, not when NTLM is enabled,
> >that smells like a bug - RFC 2617 specifies that user agents should
> >select the -best supported- auth scheme offered by the proxy - and as
> >you have plain enabled, adobe should select that and use it.
>
> just plain works with adobe. ntlm doesn't. and ntlm first and plain second
> doesn't. sad that.
Uhm 'plain'? I presume you are referring to 'basic' - there is no such
scheme as plain.
> i'm guessing that adobe is selecting the best supported one which is ntlm
> and failing because it doesn't like it. it's version 5 of pdf which isn't
> the latest (6 is out).
Thats the point - if it doesn't like NTLM, it shouldn't select it
according to the RFC. This is grounds for a bug report to the vendor -
adobe- IMO. I was giving you the description, to help you make the case
to them :}.
Anecdotally MSIE has(perhaps had - I haven't tested for a while) a bug
that it always chooses the first offered scheme, even if it is less
secure than others in the list.
Rob
-- GPG key available at: <http://members.aardvark.net.au/lifeless/keys.txt>.
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:56 MST