While investigating why digest auth wrongly indicated stale=false on
unknown nonces even when all the logics for fixing that has been
forwardported since way back I stumbled across this little difference
between Squid-2 & Squid-3 in how they fix up auth headers on failed auth
requests. In Squid-2 the current active auth scheme gets the
auth_user_request sent to it, while in Squid-3 none of them does..
The Squid-2 commit message says:
Support for the Negotiate authentication scheme, and
corresponding rewrite of the NTLM authentication scheme.
The Negotiate authentication scheme is quite similar to NTLM,
only difference is that the number of handshakes varies (one or
three), and that there is a final blob sent to the client on
successful authentication.
In this rewrite the challenge reuse functionality previously
found in the NTLM scheme has been ripped out. Was causing lots
of headaches, and never really working properly. Instead we will
be looking into a more efficient helper protocol to deal with
this in a correct manner.
Unfortunately I do not quite remember why Negotiate needed this header
fixup on failed requests.
What I do know is that it hides the digest nonce issue.. but that's now
fixed more proper in Squid-3.
The attached patch is a forward-port of the auth_user_request passing
change from squid-2. Dumped here in case some one wants to look into if
squid-3 needs this for Negotiate.. have a nagging feeling it does for
passing the final server blob on auth failure, but not time to test
tonight.
This archive was generated by hypermail 2.2.0 : Sat Mar 06 2010 - 12:00:03 MST