Re: [squid-users] Bugs in IE digest proxy auth

On Sat, 28 May 2005, Joshua Goodall wrote:

> I wondered if there was some embrace-and-extended going on with
> Digest auth, but I've reproduced all of these bugs using ISA Server
> 2004 as well. Ethereal shows that it's all the same on the wire
> except for ISA using md5-sess.

Yes.. some day we need to reverse engineer how ISA Server gets the Digest
MD5-sess H(A1) from AD allowing Squid to integrate similarily.

>> The only thing I can think of is to make sure there is persistent
>> connections enabled. I could imagine that nonce reuse may be related to
>> connection reuse in some clients.
>
> I have an experimental hack that turns digest auth into a per-connection
> authentication, a la NTLM. This cuts down on the excess 407 traffic.

Generally works, but you will run into trouble if there is child proxies
on your network. If there is you risk getting requests assigned to the
wrong user simply because the child proxy reused a persistent previously
"authenticated" connection.

> 1. User browses web normally with Digest proxy auth
> 2. User visits a site requiring 401 www-authentication
> 3. User is challenged and enters their 401 credentials
> 4. User is then re-challenged to enter their Basic proxy credentials
> 5. User then continues browsing, but for the remainder of that
> session IE is using basic proxy authentication for all requests.

Right.. the browser then sticks to always sending Basic so there is never
a Digest challenge sent by Squid for the rest of this session..

> It's not an acceptable solution, because the password is now in the clear.
> Oddly, it doesn't happen with SSL. I'll work through this with MS.

MSIE have already have (and still has) it's fair share of authentication
issues for the CONNECT method so it is not odd things acts differently for
CONNECT than the other methods.

> Notwithstanding the issues above, I have a six-figure userbase using
> Digest proxy auth successfully for >1200 requests/sec.

Nice, nice indeed!

> At some point I'll seek authorisation to release our workarounds under
> the GPL.

Looking forward to see your contributions.

Regards
Henrik
Received on Tue May 31 2005 - 23:27:57 MDT