PuTTY semi-bug msproxy-denied

Home | Licence | FAQ | Docs | Download | Keys | Links
Mirrors | Updates | Feedback | Changes | Wishlist | Team

summary: Connections through MS Proxy Server (HTTP) are spuriously denied
class: semi-bug: This might or might not be a bug, depending on your precise definition of what a bug is.
difficulty: fun: Just needs tuits, and not many of them.
priority: medium: This should be fixed one day.
present-in: 0.53b 2002-12-30
fixed-in: 2003-03-19 (0.54) (0.55) (0.56) (0.57) (0.58) (0.59) (0.60) (0.61) (0.62)

Original report (<007801c2b108$5ad5a200$33db8ad8@alexin.ca>): 


I believe I have found a bug in Win32 putty .53b. (found in Win2000,

also tested current dev binary).  I am connection to a NetBSD server 1.6

running OpenSSH 3.4 on port 443, but had the same problem on an OpenBSD

server with OpenSSH 3.4.



I am connecting through an authenticated Microsoft Proxy server v2 on

Windows 2000, using HTTP proxy services.





Using Putty, the connection conversation is: 



 CONNECT 216.138.219.54:443 HTTP/1.1

 Host: 216.138.219.54:443

 Proxy-Authorization: basic YW1leeljYXNcc3RldmVfYmFya2V5OmluZXNzMTA=



 HTTP/1.1 407 Proxy Access Denied

 Server: Microsoft-IIS/5.0

 Date: Tue, 31 Dec 2002 19:32:43 GMT

 Connection: close

 Proxy-Authenticate: Negotiate

 Proxy-Authenticate: NTLM

 Proxy-Authenticate: Basic realm="53.244.73.245"



And the connection fails with putty event log: 

"2002-12-31 14:48:08    Connecting to 216.138.219.54 port 443

2002-12-31 14:48:08     Proxy error: 407 Proxy Access Denied"





Using MindTerm 2.0 (an inferior java ssh client), the connection

conversation is:



 CONNECT 216.138.219.54:443 HTTP/1.0

 proxy-connection: Keep-Alive

 pragma: No-Cache

 user-agent: MindTerm/$Name:  $



 HTTP/1.1 407 Proxy Access Denied

 Server: Microsoft-IIS/5.0

 Date: Tue, 31 Dec 2002 19:33:05 GMT

 Proxy-Authenticate: Negotiate

 Proxy-Authenticate: NTLM

 Proxy-Authenticate: Basic realm="53.244.73.245"



----------- and then -----------



 CONNECT 216.138.219.54:443 HTTP/1.0

 proxy-authorization: Basic YW1leeljYXNcc3RldmVfYmFya2V5OmluZXNzMTA=



 proxy-connection: Keep-Alive

 pragma: No-Cache user-agent: MindTerm/$Name:  $



 HTTP/1.1  200 Connection established

 Via: 1.1 YYZXPROXY01



 SSH-1.99-OpenSSH_3.4 NetBSD_Secure_Shell-20020626

 SSH-2.0-MindTerm_2.0 2.0 (non-commercial)

 

... encrypted, successful connection ....

Another user has experimented with this, and concluded that the problem is that the proxy insists that the authentication scheme be "Basic" rather than "basic". RFC 2617 states that the scheme token is case-insensitive, but in the interests of being conservative in what we send, PuTTY should probably use "Basic".

This bug should be fixed as of proxy.c rev 1.27.

Audit trail for this semi-bug.

If you want to comment on this web site, see the Feedback page.
(last revision of this bug record was at 2004-11-16 15:27:00 +0000)