On Wed, 2008-11-05 at 16:17 +0100, Cech. Ulrich wrote: > <The version of Squid you are using appears broken. The proxy keeps one > sending 'Proxy-Connection: close' which is wrong given the fact that NTLM > requires a persistent connection in order to function.> > > Hi Oleg, > > But how can it be explained, that a non-ssl target is handled correct? The > wire-log shows a "Proxy-connection: closed" too, but the authentication > works fine. > And if I open the ssl-target over a browser (the same proxy is used), it > worked fine, too. > Perhaps, do I have to set some more header fields manually to force the > correct behavior? >
Well, take a closer look at the wire log. The connection _is_ being correctly reused between the initial challenge, message1, message2 and message3 when SSL is not used. So, Squid is definitely the culprit. You _may_ work the problem around by removing the offending 'Connection: close' headers using a protocol interceptor or by employing a custom connection reuse strategy. Use at your risk, though. Oleg > Many thanks! > > I put in the wire-log of the non-ssl target. > > > executing request: GET / HTTP/1.1 > via proxy: http://s-hqw2k3bd:3128 > to target: http://www.verisign.com:80 > [DEBUG] ClientParamsStack - 'http.protocol.max-redirects': null > [DEBUG] ClientParamsStack - 'http.route.forced-route': null > [DEBUG] ClientParamsStack - 'http.route.local-address': null > [DEBUG] ClientParamsStack - 'http.route.default-proxy': > http://s-hqw2k3bd:3128 > [DEBUG] ClientParamsStack - 'http.conn-manager.timeout': null > [DEBUG] SingleClientConnManager - Get connection for route > HttpRoute[{}->http://s-hqw2k3bd:3128->http://www.verisign.com:80] > [DEBUG] ClientParamsStack - 'http.connection.stalecheck': null > [DEBUG] DefaultRequestDirector - Stale connection check > [DEBUG] DefaultRequestDirector - Stale connection detected > [DEBUG] DefaultClientConnection - Connection closed > [DEBUG] ClientParamsStack - 'http.connection.timeout': null > [DEBUG] ClientParamsStack - 'http.tcp.nodelay': null > [DEBUG] ClientParamsStack - 'http.socket.timeout': null > [DEBUG] ClientParamsStack - 'http.socket.linger': null > [DEBUG] ClientParamsStack - 'http.socket.buffer-size': null > [DEBUG] ClientParamsStack - 'http.protocol.element-charset': null > [DEBUG] ClientParamsStack - 'http.connection.max-line-length': null > [DEBUG] ClientParamsStack - 'http.protocol.element-charset': null > [DEBUG] ClientParamsStack - 'http.connection.max-header-count': null > [DEBUG] ClientParamsStack - 'http.connection.max-line-length': null > [DEBUG] ClientParamsStack - 'http.connection.max-status-line-garbage': null > [DEBUG] ClientParamsStack - 'http.virtual-host': null > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.default-headers': null > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.useragent': Apache-HttpClient/4.0-beta1 > (java 1.4) > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.protocol.cookie-policy': null > [DEBUG] RequestAddCookies - CookieSpec selected: best-match > [DEBUG] ClientParamsStack - 'http.protocol.cookie-datepatterns': null > [DEBUG] ClientParamsStack - 'http.protocol.single-cookie-header': null > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] DefaultRequestDirector - Attempt 1 to execute request > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] wire - >> "GET http://www.verisign.com:80/ HTTP/1.1[EOL]" > [DEBUG] wire - >> "Host: www.verisign.com:80[EOL]" > [DEBUG] wire - >> "Connection: Keep-Alive[EOL]" > [DEBUG] wire - >> "User-Agent: Apache-HttpClient/4.0-beta1 (java 1.4)[EOL]" > [DEBUG] wire - >> "[EOL]" > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] headers - >> GET http://www.verisign.com:80/ HTTP/1.1 > [DEBUG] headers - >> Host: www.verisign.com:80 > [DEBUG] headers - >> Connection: Keep-Alive > [DEBUG] headers - >> User-Agent: Apache-HttpClient/4.0-beta1 (java 1.4) > [DEBUG] wire - << "HTTP/1.0 407 Proxy Authentication Required[EOL]" > [DEBUG] wire - << "Server: squid/2.6.STABLE6-NT[EOL]" > [DEBUG] wire - << "Date: Thu, 30 Oct 2008 07:21:21 GMT[EOL]" > [DEBUG] wire - << "Content-Type: text/html[EOL]" > [DEBUG] wire - << "Content-Length: 1359[EOL]" > [DEBUG] wire - << "Expires: Thu, 30 Oct 2008 07:21:21 GMT[EOL]" > [DEBUG] wire - << "X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0[EOL]" > [DEBUG] wire - << "Proxy-Authenticate: NTLM[EOL]" > [DEBUG] wire - << "X-Cache: MISS from s-hqw2k3bd.pmbelz.de[EOL]" > [DEBUG] wire - << "X-Cache-Lookup: NONE from s-hqw2k3bd.pmbelz.de:3128[EOL]" > [DEBUG] wire - << "Via: 1.0 s-hqw2k3bd.pmbelz.de:3128 > (squid/2.6.STABLE6-NT)[EOL]" > [DEBUG] wire - << "Proxy-Connection: close[EOL]" > [DEBUG] headers - << HTTP/1.0 407 Proxy Authentication Required > [DEBUG] headers - << Server: squid/2.6.STABLE6-NT > [DEBUG] headers - << Date: Thu, 30 Oct 2008 07:21:21 GMT > [DEBUG] headers - << Content-Type: text/html > [DEBUG] headers - << Content-Length: 1359 > [DEBUG] headers - << Expires: Thu, 30 Oct 2008 07:21:21 GMT > [DEBUG] headers - << X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > [DEBUG] headers - << Proxy-Authenticate: NTLM > [DEBUG] headers - << X-Cache: MISS from s-hqw2k3bd.pmbelz.de > [DEBUG] headers - << X-Cache-Lookup: NONE from s-hqw2k3bd.pmbelz.de:3128 > [DEBUG] headers - << Via: 1.0 s-hqw2k3bd.pmbelz.de:3128 > (squid/2.6.STABLE6-NT) > [DEBUG] headers - << Proxy-Connection: close > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.protocol.handle-redirects': null > [DEBUG] ClientParamsStack - 'http.protocol.handle-authentication': null > [DEBUG] DefaultRequestDirector - Proxy requested authentication > [DEBUG] DefaultProxyAuthenticationHandler - Authentication schemes in the > order of preference: [ntlm, digest, basic] > [DEBUG] DefaultProxyAuthenticationHandler - ntlm authentication scheme > selected > [DEBUG] DefaultRequestDirector - Authorization challenge processed > [DEBUG] DefaultRequestDirector - Authentication scope: NTLM <any > realm>@s-hqw2k3bd:3128 > [DEBUG] DefaultRequestDirector - Found credentials > [DEBUG] DefaultClientConnection - Connection closed > [DEBUG] ClientParamsStack - 'http.connection.timeout': null > [DEBUG] ClientParamsStack - 'http.tcp.nodelay': null > [DEBUG] ClientParamsStack - 'http.socket.timeout': null > [DEBUG] ClientParamsStack - 'http.socket.linger': null > [DEBUG] ClientParamsStack - 'http.socket.buffer-size': null > [DEBUG] ClientParamsStack - 'http.protocol.element-charset': null > [DEBUG] ClientParamsStack - 'http.connection.max-line-length': null > [DEBUG] ClientParamsStack - 'http.protocol.element-charset': null > [DEBUG] ClientParamsStack - 'http.connection.max-header-count': null > [DEBUG] ClientParamsStack - 'http.connection.max-line-length': null > [DEBUG] ClientParamsStack - 'http.connection.max-status-line-garbage': null > [DEBUG] ClientParamsStack - 'http.virtual-host': null > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.default-headers': null > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.useragent': Apache-HttpClient/4.0-beta1 > (java 1.4) > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.protocol.cookie-policy': null > [DEBUG] RequestAddCookies - CookieSpec selected: best-match > [DEBUG] ClientParamsStack - 'http.protocol.cookie-datepatterns': null > [DEBUG] ClientParamsStack - 'http.protocol.single-cookie-header': null > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] DefaultRequestDirector - Attempt 2 to execute request > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] wire - >> "GET http://www.verisign.com:80/ HTTP/1.1[EOL]" > [DEBUG] wire - >> "Host: www.verisign.com:80[EOL]" > [DEBUG] wire - >> "Connection: Keep-Alive[EOL]" > [DEBUG] wire - >> "User-Agent: Apache-HttpClient/4.0-beta1 (java 1.4)[EOL]" > [DEBUG] wire - >> "Proxy-Authorization: NTLM > TlRMTVNTUAABAAAAATIAAAYABgAgAAAABwAHACYAAABQTUJFTFpQQy0xNjM0[EOL]" > [DEBUG] wire - >> "[EOL]" > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] headers - >> GET http://www.verisign.com:80/ HTTP/1.1 > [DEBUG] headers - >> Host: www.verisign.com:80 > [DEBUG] headers - >> Connection: Keep-Alive > [DEBUG] headers - >> User-Agent: Apache-HttpClient/4.0-beta1 (java 1.4) > [DEBUG] headers - >> Proxy-Authorization: NTLM > TlRMTVNTUAABAAAAATIAAAYABgAgAAAABwAHACYAAABQTUJFTFpQQy0xNjM0 > [DEBUG] wire - << "HTTP/1.0 407 Proxy Authentication Required[EOL]" > [DEBUG] wire - << "Server: squid/2.6.STABLE6-NT[EOL]" > [DEBUG] wire - << "Date: Thu, 30 Oct 2008 07:21:22 GMT[EOL]" > [DEBUG] wire - << "Content-Type: text/html[EOL]" > [DEBUG] wire - << "Content-Length: 1359[EOL]" > [DEBUG] wire - << "Expires: Thu, 30 Oct 2008 07:21:22 GMT[EOL]" > [DEBUG] wire - << "X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0[EOL]" > [DEBUG] wire - << "Proxy-Authenticate: NTLM > TlRMTVNTUAACAAAAAAAAADgAAAABAgACL1ghbzaInKkAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8= > [EOL]" > [DEBUG] wire - << "X-Cache: MISS from s-hqw2k3bd.pmbelz.de[EOL]" > [DEBUG] wire - << "X-Cache-Lookup: NONE from s-hqw2k3bd.pmbelz.de:3128[EOL]" > [DEBUG] wire - << "Via: 1.0 s-hqw2k3bd.pmbelz.de:3128 > (squid/2.6.STABLE6-NT)[EOL]" > [DEBUG] wire - << "Proxy-Connection: keep-alive[EOL]" > [DEBUG] headers - << HTTP/1.0 407 Proxy Authentication Required > [DEBUG] headers - << Server: squid/2.6.STABLE6-NT > [DEBUG] headers - << Date: Thu, 30 Oct 2008 07:21:22 GMT > [DEBUG] headers - << Content-Type: text/html > [DEBUG] headers - << Content-Length: 1359 > [DEBUG] headers - << Expires: Thu, 30 Oct 2008 07:21:22 GMT > [DEBUG] headers - << X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > [DEBUG] headers - << Proxy-Authenticate: NTLM > TlRMTVNTUAACAAAAAAAAADgAAAABAgACL1ghbzaInKkAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8= > [DEBUG] headers - << X-Cache: MISS from s-hqw2k3bd.pmbelz.de > [DEBUG] headers - << X-Cache-Lookup: NONE from s-hqw2k3bd.pmbelz.de:3128 > [DEBUG] headers - << Via: 1.0 s-hqw2k3bd.pmbelz.de:3128 > (squid/2.6.STABLE6-NT) > [DEBUG] headers - << Proxy-Connection: keep-alive > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.protocol.handle-redirects': null > [DEBUG] ClientParamsStack - 'http.protocol.handle-authentication': null > [DEBUG] DefaultRequestDirector - Proxy requested authentication > [DEBUG] DefaultRequestDirector - Authorization challenge processed > [DEBUG] DefaultRequestDirector - Authentication scope: NTLM <any > realm>@s-hqw2k3bd:3128 > [DEBUG] DefaultRequestDirector - Connection kept alive > [DEBUG] wire - << "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 > Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">[\r][\n]" > [DEBUG] wire - << "<HTML><HEAD><META HTTP-EQUIV="Content-Type" > CONTENT="text/html; charset=iso-8859-1">[\r][\n]" > [DEBUG] wire - << "<TITLE>ERROR: Cache Access Denied</TITLE>[\r][\n]" > [DEBUG] wire - << "<STYLE > type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-s > erif}PRE{font-family:sans-serif}--></STYLE>[\r][\n]" > [DEBUG] wire - << "</HEAD>[\r][\n]" > [DEBUG] wire - << "<BODY>[\r][\n]" > [DEBUG] wire - << "<H1>ERROR</H1>[\r][\n]" > [DEBUG] wire - << "<H2>Cache Access Denied</H2>[\r][\n]" > [DEBUG] wire - << "<HR noshade size="1px">[\r][\n]" > [DEBUG] wire - << "<P>[\r][\n]" > [DEBUG] wire - << "While trying to retrieve the URL:[\r][\n]" > [DEBUG] wire - << "<A > HREF="http://www.verisign.com/">http://www.verisign.com/</A>[\r][\n]" > [DEBUG] wire - << "<P>[\r][\n]" > [DEBUG] wire - << "The following error was encountered:[\r][\n]" > [DEBUG] wire - << "<UL>[\r][\n]" > [DEBUG] wire - << "<LI>[\r][\n]" > [DEBUG] wire - << "<STRONG>[\r][\n]" > [DEBUG] wire - << "Cache Access Denied.[\r][\n]" > [DEBUG] wire - << "</STRONG>[\r][\n]" > [DEBUG] wire - << "</UL>[\r][\n]" > [DEBUG] wire - << "</P>[\r][\n]" > [DEBUG] wire - << "[\r][\n]" > [DEBUG] wire - << "<P>Sorry, you are not currently allowed to > request:[\r][\n]" > [DEBUG] wire - << "<PRE> http://www.verisign.com/</PRE>[\r][\n]" > [DEBUG] wire - << "from this cache until you have authenticated > yourself.[\r][\n]" > [DEBUG] wire - << "</P>[\r][\n]" > [DEBUG] wire - << "[\r][\n]" > [DEBUG] wire - << "<P>[\r][\n]" > [DEBUG] wire - << "You need to use Netscape version 2.0 or greater, or > Microsoft Internet[\r][\n]" > [DEBUG] wire - << "Explorer 3.0, or an HTTP/1.1 compliant browser for this > to work. Please[\r][\n]" > [DEBUG] wire - << "contact the <A HREF="mailto:webmaster">cache > administrator</a> if you have[\r][\n]" > [DEBUG] wire - << "difficulties authenticating yourself or [\r][\n]" > [DEBUG] wire - << "<A > HREF="http://s-hqw2k3bd.pmbelz.de/cgi-bin/chpasswd.cgi">change</a> your > default password.[\r][\n]" > [DEBUG] wire - << "</P>[\r][\n]" > [DEBUG] wire - << "[\n]" > [DEBUG] wire - << "<BR clear="all">[\n]" > [DEBUG] wire - << "<HR noshade size="1px">[\n]" > [DEBUG] wire - << "<ADDRESS>[\n]" > [DEBUG] wire - << "Generated Thu, 30 Oct 2008 07:21:22 GMT by > s-hqw2k3bd.pmbelz.de (squid/2.6.STABLE6-NT)[\n]" > [DEBUG] wire - << "</ADDRESS>[\n]" > [DEBUG] wire - << "</BODY></HTML>[\n]" > [DEBUG] ClientParamsStack - 'http.virtual-host': null > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.default-headers': null > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.useragent': Apache-HttpClient/4.0-beta1 > (java 1.4) > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] ClientParamsStack - 'http.protocol.cookie-policy': null > [DEBUG] RequestAddCookies - CookieSpec selected: best-match > [DEBUG] ClientParamsStack - 'http.protocol.cookie-datepatterns': null > [DEBUG] ClientParamsStack - 'http.protocol.single-cookie-header': null > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] DefaultRequestDirector - Attempt 3 to execute request > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] wire - >> "GET http://www.verisign.com:80/ HTTP/1.1[EOL]" > [DEBUG] wire - >> "Host: www.verisign.com:80[EOL]" > [DEBUG] wire - >> "Connection: Keep-Alive[EOL]" > [DEBUG] wire - >> "User-Agent: Apache-HttpClient/4.0-beta1 (java 1.4)[EOL]" > [DEBUG] wire - >> "Proxy-Authorization: NTLM > TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAwADABwAAAACAAIAHwAAAAOAA4AhAAAAAAAAAAA > AAAAAQIAALFQXDeVSLGteDvHwJgKD1gps+dbqrCndNRrH9fbKfPAzuBr4vCdkFQr/bBcqmFKClAA > TQBCAEUATABaAGMAZQBjAGgAUABDAC0AMQA2ADMANAA=[EOL]" > [DEBUG] wire - >> "[EOL]" > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > [DEBUG] headers - >> GET http://www.verisign.com:80/ HTTP/1.1 > [DEBUG] headers - >> Host: www.verisign.com:80 > [DEBUG] headers - >> Connection: Keep-Alive > [DEBUG] headers - >> User-Agent: Apache-HttpClient/4.0-beta1 (java 1.4) > [DEBUG] headers - >> Proxy-Authorization: NTLM > TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAwADABwAAAACAAIAHwAAAAOAA4AhAAAAAAAAAAA > AAAAAQIAALFQXDeVSLGteDvHwJgKD1gps+dbqrCndNRrH9fbKfPAzuBr4vCdkFQr/bBcqmFKClAA > TQBCAEUATABaAGMAZQBjAGgAUABDAC0AMQA2ADMANAA= > [DEBUG] wire - << "HTTP/1.0 200 OK[EOL]" > [DEBUG] wire - << "Server: Netscape-Enterprise/4.1[EOL]" > [DEBUG] wire - << "Date: Thu, 30 Oct 2008 07:21:22 GMT[EOL]" > [DEBUG] wire - << "Set-Cookie: v1st=49096073CBC7E173; path=/; expires=Wed, > 19 Feb 2020 14:28:00 GMT; domain=.verisign.com[EOL]" > [DEBUG] wire - << "Content-Type: text/html[EOL]" > [DEBUG] wire - << "X-Cache: MISS from s-hqw2k3bd.pmbelz.de[EOL]" > [DEBUG] wire - << "X-Cache-Lookup: MISS from s-hqw2k3bd.pmbelz.de:3128[EOL]" > [DEBUG] wire - << "Via: 1.0 s-hqw2k3bd.pmbelz.de:3128 > (squid/2.6.STABLE6-NT)[EOL]" > [DEBUG] wire - << "Proxy-Connection: close[EOL]" > [DEBUG] headers - << HTTP/1.0 200 OK > [DEBUG] headers - << Server: Netscape-Enterprise/4.1 > [DEBUG] headers - << Date: Thu, 30 Oct 2008 07:21:22 GMT > [DEBUG] headers - << Set-Cookie: v1st=49096073CBC7E173; path=/; expires=Wed, > 19 Feb 2020 14:28:00 GMT; domain=.verisign.com > [DEBUG] headers - << Content-Type: text/html > [DEBUG] headers - << X-Cache: MISS from s-hqw2k3bd.pmbelz.de > [DEBUG] headers - << X-Cache-Lookup: MISS from s-hqw2k3bd.pmbelz.de:3128 > [DEBUG] headers - << Via: 1.0 s-hqw2k3bd.pmbelz.de:3128 > (squid/2.6.STABLE6-NT) > [DEBUG] headers - << Proxy-Connection: close > [DEBUG] ClientParamsStack - 'http.protocol.version': HTTP/1.1 > ---------------------------------------- > HTTP/1.0 200 OK > Response content length: -1 > ---------------------------------------- > HTTP/1.0 200 OK > Server: Netscape-Enterprise/4.1 > Date: Thu, 30 Oct 2008 07:21:22 GMT > Set-Cookie: v1st=49096073CBC7E173; path=/; expires=Wed, 19 Feb 2020 14:28:00 > GMT; domain=.verisign.com > Content-Type: text/html > X-Cache: MISS from s-hqw2k3bd.pmbelz.de > X-Cache-Lookup: MISS from s-hqw2k3bd.pmbelz.de:3128 > Via: 1.0 s-hqw2k3bd.pmbelz.de:3128 (squid/2.6.STABLE6-NT) > Proxy-Connection: close > ---------------------------------------- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]