[squid-users] Negotiate bug in squidclient ?

Sat Oct 18 12:16:55 UTC 2014

This time I tried squidclient to check Kerberos authentication. I am
afraid there is a bug in squidclient where the "Proxy-Authorization:"
header (the Negotiate token) is being sent truncated, and the server
reacts with the 'gss_accept_sec_context() failed:  A token was
invalid.' error.

Here is what I run:

./squidclient -v -h proxy.sibptus.transneft.ru -p 3131 -n http://ya.ru

and what it being sent to the server:

=====================

Request:'GET http://ya.ru HTTP/1.0
Host: ya.ru
User-Agent: squidclient/3.4.8
Accept: */*
Proxy-Authorization: Negotiate YIIGDQYGKwYBBQUCoIIGATCCBf2gDTALBgkqhkiG9xIBAgKiggXqBIIF5mCCBeIGCSqGSIb3EgECAgEAboIF0TCCBc2gAwIBBaEDAgEOogcDBQAAAAAAo4IEtGGCBLAwggSsoAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBFwwggRYoAMCAReiggRPBIIES8Tjx9IM4sRh+fXqnEEslV/wXuEqv1o5fA9k9QYfpd1Wwhll7ZDKEsDrGPKp57ylsm7X9l5ODhONBlkGwd24vngmmlgQ3Frxn8csh2+QgxeQZqhiV2QgdT/MVU3Khjae4jklS/F5yFxdd4DO0UrqRu7iaXLsgRf4h/4p/kxkTlQAtn+u5H8Nm50M670pdHU5s5GWAIKFY+v/oq6k8OdmU/COaXn5qkU2UtTPj51i24/Vi8aI7qb+KnvpmEOktMZ/+lhbjerZut6jQYXX7rZ6K/uBAGbI8wBLPjymv8yyd9bE3THTOuykcI+l/lEi3uyPP9ievHYnvlT9c1TSvuTRCJOFpRZ2WM1MPifu7GJ6RYkReHoyhQC+uCXcOaWsCn22uWBYNvVsUWCFEPAkId40k5y7w6IThtoDLC6+3NYtWJgl+LhXbiRNMl25H+4nDyNhm8eg2XC46WPJQ/4ljBfD/GoAJz6I2hWD+5Pvc1zGQQcS1w9vTXuDoWqkDeCQKFhfIWASY7H9w0v1IePRbGx+o8FJZuVtTU/8DKDJJ0x3FVxaMjKwrZk08jsDtxFpk+pdWOH9li+WPjXG5d1TL9tntrt6gsnl89i4hjuCfIL3hpfLN//QE41e+pbVGgyEOQk06mYetn6juKStlslQSPk8wXMr2J40Avmgzv9fFSZ5IdH9uyFbau0Q6Hf4Y6BVNKkT8qDxVjmakCDz8xl93k6HLcDUdt98Connection: close

'
Resolving... proxy.sibptus.transneft.ru
Connecting... proxy.sibptus.transneft.ru(10.14.140.9)
Connected to: proxy.sibptus.transneft.ru (10.14.140.9)
Sending HTTP request ... done.
HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.4.8
=====================

WireShark reports about "SPNEGO-KRB5 truncated" in this packet
(though the capture size was set to "unlimited" and squid's helper
reacts with 'A token was invalid.'

Could someone reproduce?

Attached please find how it looks in Wireshark (note the "Connection:"
header glued to the end of the truncated Negotiate token).

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
-------------- next part --------------
GET http://ya.ru HTTP/1.0
Host: ya.ru
User-Agent: squidclient/3.4.8
Accept: */*
Proxy-Authorization: Negotiate YIIGDQYGKwYBBQUCoIIGATCCBf2gDTALBgkqhkiG9xIBAgKiggXqBIIF5mCCBeIGCSqGSIb3EgECAgEAboIF0TCCBc2gAwIBBaEDAgEOogcDBQAAAAAAo4IEtGGCBLAwggSsoAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBFwwggRYoAMCAReiggRPBIIES8Tjx9IM4sRh+fXqnEEslV/wXuEqv1o5fA9k9QYfpd1Wwhll7ZDKEsDrGPKp57ylsm7X9l5ODhONBlkGwd24vngmmlgQ3Frxn8csh2+QgxeQZqhiV2QgdT/MVU3Khjae4jklS/F5yFxdd4DO0UrqRu7iaXLsgRf4h/4p/kxkTlQAtn+u5H8Nm50M670pdHU5s5GWAIKFY+v/oq6k8OdmU/COaXn5qkU2UtTPj51i24/Vi8aI7qb+KnvpmEOktMZ/+lhbjerZut6jQYXX7rZ6K/uBAGbI8wBLPjymv8yyd9bE3THTOuykcI+l/lEi3uyPP9ievHYnvlT9c1TSvuTRCJOFpRZ2WM1MPifu7GJ6RYkReHoyhQC+uCXcOaWsCn22uWBYNvVsUWCFEPAkId40k5y7w6IThtoDLC6+3NYtWJgl+LhXbiRNMl25H+4nDyNhm8eg2XC46WPJQ/4ljBfD/GoAJz6I2hWD+5Pvc1zGQQcS1w9vTXuDoWqkDeCQKFhfIWASY7H9w0v1IePRbGx+o8FJZuVtTU/8DKDJJ0x3FVxaMjKwrZk08jsDtxFpk+pdWOH9li+WPjXG5d1TL9tntrt6gsnl89i4hjuCfIL3hpfLN//QE41e+pbVGgyEOQk06mYetn6juKStlslQSPk8wXMr2J40Avmgzv9fFSZ5IdH9uyFbau0Q6Hf4Y6BVNKkT8qDxVjmakCDz8xl93k6HLcDUdt98Connection: close

HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.4.8
Mime-Version: 1.0
Date: Sat, 18 Oct 2014 11:56:09 GMT
Content-Type: text/html
Content-Length: 4231
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: Negotiate
X-Cache: MISS from proxy.sibptus.transneft.ru
X-Cache-Lookup: NONE from proxy.sibptus.transneft.ru:3131
Via: 1.1 proxy.sibptus.transneft.ru (squid/3.4.8)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: Cache Access Denied</title>
<style type="text/css"><!-- 
 /*
 Stylesheet for Squid Error pages
 Adapted from design by Free CSS Templates
 http://www.freecsstemplates.org
 Released for free under a Creative Commons Attribution 2.5 License
*/

/* Page basics */
* {
	font-family: verdana, sans-serif;
}

html body {
	margin: 0;
	padding: 0;
	background: #efefef;
	font-size: 12px;
	color: #1e1e1e;
}

/* Page displayed title area */
#titles {
	margin-left: 15px;
	padding: 10px;
	padding-left: 100px;
	background: url('http://www.squid-cache.org/Artwork/SN.png') no-repeat left;
}

/* initial title */
#titles h1 {
	color: #000000;
}
#titles h2 {
	color: #000000;
}

/* special event: FTP success page titles */
#titles ftpsuccess {
	background-color:#00ff00;
	width:100%;
}

/* Page displayed body content area */
#content {
	padding: 10px;
	background: #ffffff;
}

/* General text */
p {
}

/* error brief description */
#error p {
}

/* some data which may have caused the problem */
#data {
}

/* the error message received from the system or other software */
#sysmsg {
}

pre {
    font-family:sans-serif;
}

/* special event: FTP / Gopher directory listing */
#dirmsg {
    font-family: courier;
    color: black;
    font-size: 10pt;
}
#dirlisting {
    margin-left: 2%;
    margin-right: 2%;
}
#dirlisting tr.entry td.icon,td.filename,td.size,td.date {
    border-bottom: groove;
}
#dirlisting td.size {
    width: 50px;
    text-align: right;
    padding-right: 5px;
}

/* horizontal lines */
hr {
	margin: 0;
}

/* page displayed footer area */
#footer {
	font-size: 9px;
	padding-left: 10px;
}

body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
 --></style>
</head><body id=ERR_CACHE_ACCESS_DENIED>
<div id="titles">
<h1>ERROR</h1>
<h2>Cache Access Denied.</h2>
</div>
<hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="http://ya.ru/">http://ya.ru/</a></p>

<blockquote id="error">
<p><b>Cache Access Denied.</b></p>
</blockquote>

<p>Sorry, you are not currently allowed to request http://ya.ru/ from this cache until you have authenticated yourself.</p>

<p>Please contact the <a href="mailto:noc at sibptus.ru?subject=CacheErrorInfo%20-%20ERR_CACHE_ACCESS_DENIED&body=CacheHost%3A%20proxy.sibptus.transneft.ru%0D%0AErrPage%3A%20ERR_CACHE_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Sat,%2018%20Oct%202014%2011%3A56%3A09%20GMT%0D%0A%0D%0AClientIP%3A%2010.14.140.125%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.0%0AHost%3A%20ya.ru%0D%0AUser-Agent%3A%20squidclient%2F3.4.8%0D%0AAccept%3A%20*%2F*%0D%0AProxy-Authorization%3A%20Negotiate%20YIIGDQYGKwYBBQUCoIIGATCCBf2gDTALBgkqhkiG9xIBAgKiggXqBIIF5mCCBeIGCSqGSIb3EgECAgEAboIF0TCCBc2gAwIBBaEDAgEOogcDBQAAAAAAo4IEtGGCBLAwggSsoAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBFwwggRYoAMCAReiggRPBIIES8Tjx9IM4sRh+fXqnEEslV%2FwXuEqv1o5fA9k9QYfpd1Wwhll7ZDKEsDrGPKp57ylsm7X9l5ODhONBlkGwd24vngmmlgQ3Frxn8csh2+QgxeQZqhiV2QgdT%2FMVU3Khjae4jklS%2FF5yFxdd4DO0UrqRu7iaXLsgRf4h%2F4p%2FkxkTlQAtn+u5H8Nm50M670pdHU5s5GWAIKFY+v%2Foq6k8OdmU%2FCOaXn5qkU2UtTPj51i24%2FVi8aI7qb+KnvpmEOktMZ%2F+lhbjerZut6jQYXX7rZ6K%2FuBAGbI8wBLPjymv8yyd9bE3THTOuykcI+l%2FlEi3uyPP9ievHYnvlT9c1TSvuTRCJOFpRZ2WM1MPifu7GJ6RYkReHoyhQC+uCXcOaWsCn22uWBYNvVsUWCFEPAkId40k5y7w6IThtoDLC6+3NYtWJgl+LhXbiRNMl25H+4nDyNhm8eg2XC46WPJQ%2F4ljBfD%2FGoAJz6I2hWD+5Pvc1zGQQcS1w9vTXuDoWqkDeCQKFhfIWASY7H9w0v1IePRbGx+o8FJZuVtTU%2F8DKDJJ0x3FVxaMjKwrZk08jsDtxFpk+pdWOH9li+WPjXG5d1TL9tntrt6gsnl89i4hjuCfIL3hpfLN%2F%2FQE41e+pbVGgyEOQk06mYetn6juKStlslQSPk8wXMr2J40Avmgzv9fFSZ5IdH9uyFbau0Q6Hf4Y6BVNKkT8qDxVjmakCDz8xl93k6HLcDUdt98Connection%3A%20close%0D%0A%0D%0A%0D%0A">cache administrator</a> if you have difficulties authenticating yourself.</p>

<br>
</div>

<hr> 
<div id="footer">
<p>Generated Sat, 18 Oct 2014 11:56:09 GMT by proxy.sibptus.transneft.ru (squid/3.4.8)</p>
<!-- ERR_CACHE_ACCESS_DENIED -->
</div>
</body></html>