Re: [Openvpn-devel] openvpn, NTLM and McAfee Web Gateway

2010-10-19 Thread openvpn 

Da: "Jan Just Keijser" janj...@nikhef.nl
A: "openvpn" open...@lucullo.it
Cc: openvpn-devel@lists.sourceforge.net
Data: Mon, 18 Oct 2010 12:58:35 +0200
Oggetto: Re: [Openvpn-devel] openvpn, NTLM and McAfee Web Gateway

> openvpn wrote:
> > dear all,
> >
> > a few days ago I deployed an ovpn solution in a medium sized company. 
> > One of the two ends of the vpn network is passing through a proxy with 
> > NTLM authentication. ovpn has problems to recognize the authentication 
> > because immediately after sending the message type 1, the proxy sends 
> > no response, so I had to modify the source code by replacing the 
> > current message with a similar but different one.
> >
> > in particular this one:
> >
> > TlRMTVNTUAABAgIAAA==
> >
> >
> > become:
> >
> > TlRMTVNTUAABB4IIogAFASgKDw==
> >
> >
> > A detail of the work is available at:
> >
> > http://www.morzello.com/?p=350 (in Italian).
> >
> > I was wondering if you could have a function that supports this type 
> > of proxy (such as McAfee Web Gateway).
> >
> I applied your "patch" and I still cannot get it to work for my 
> httpd+mod_ntlm (NTLMv1 only) installation. The NTLM handshake that 
> OpenVPN does is broken. Without the patch Wireshark tells me the first 
> NTLMSPP message is invalid
>   http://www.nikhef.nl/~janjust/openvpn/openvpn-ntlm-error1.png
> If I change the phase_1 NTLM message to the above I get one step further 
> but then it breaks at the next packet:
>   http://www.nikhef.nl/~janjust/openvpn/openvpn-ntlm-error2.png
> It seems the Windows domain and username are not stored properly inside 
> the request. The same httpd+mod_ntlm installation works flawlessly using 
> Internet Explorer 7: in that case the domain and user name are encoded 
> just fine.
> 
> What am I doing wrong?
> 
> cheers,
> 
> JJK
> 
 
Sorry Jan, mine was a dirty job in order to quick solve my problem. I think the 
correct way to solve the issue is to deeper study the NTLM and NTLMv2 standard. 
 the error 1 is the same i've got before patching the code but i didn't spent 
much time to analyze the issue. I can try to solve the problem if someone can 
test the results (with community agreement).
 
have a nice day, vittorio

Re: [Openvpn-devel] openvpn, NTLM and McAfee Web Gateway

2010-10-18 Thread Jan Just Keijser 

openvpn wrote:

dear all,

a few days ago I deployed an ovpn solution in a medium sized company. 
One of the two ends of the vpn network is passing through a proxy with 
NTLM authentication. ovpn has problems to recognize the authentication 
because immediately after sending the message type 1, the proxy sends 
no response, so I had to modify the source code by replacing the 
current message with a similar but different one.


in particular this one:

TlRMTVNTUAABAgIAAA==


become:

TlRMTVNTUAABB4IIogAFASgKDw==


A detail of the work is available at:

http://www.morzello.com/?p=350 (in Italian).

I was wondering if you could have a function that supports this type 
of proxy (such as McAfee Web Gateway).


I applied your "patch" and I still cannot get it to work for my 
httpd+mod_ntlm (NTLMv1 only) installation. The NTLM handshake that 
OpenVPN does is broken. Without the patch Wireshark tells me the first 
NTLMSPP message is invalid

 http://www.nikhef.nl/~janjust/openvpn/openvpn-ntlm-error1.png
If I change the phase_1 NTLM message to the above I get one step further 
but then it breaks at the next packet:

 http://www.nikhef.nl/~janjust/openvpn/openvpn-ntlm-error2.png
It seems the Windows domain and username are not stored properly inside 
the request. The same httpd+mod_ntlm installation works flawlessly using 
Internet Explorer 7: in that case the domain and user name are encoded 
just fine.


What am I doing wrong?

cheers,

JJK

Re: [Openvpn-devel] openvpn, NTLM and McAfee Web Gateway

2010-10-15 Thread openvpn 
> Hi,
> 
> I read your blog post, interesting stuff. The strings the client sends
> seem to be base64 encoded and the first part on both messages look like
> this (in nano/vi):
> 
> NTLMSSP
> 
> It's followed by this, which is apparently the message type hex string:
> 
> ^@^A^@^@^@
> 
> After this they differ noticeably. I'd guess they are just sending
> different NTLM flags:
> 
> 
> 
> Can somebody more fluent in NTLM protocol decipher these two messages?
> 
> -- 
> Samuli Sepp?nen
> Community Manager
> OpenVPN Technologies, Inc
> 
> irc freenode net: mattock
> 
  
Firefox uses the following flags:
 
#define NTLM_TYPE1_FLAGS  \
(NTLM_NegotiateUnicode |\
NTLM_NegotiateOEM |\
NTLM_RequestTarget |   \
NTLM_NegotiateNTLMKey |\
NTLM_NegotiateAlwaysSign | \
NTLM_NegotiateNTLM2Key)

 
take a look here for more informations: 
 
http://hg.mozilla.org/releases/mozilla-1.9.2/file/d1c0b2c4ac7a/security/manager/ssl/src/nsNTLMAuthModule.cppI
 hope that's may helps.
 
vittorio

Re: [Openvpn-devel] openvpn, NTLM and McAfee Web Gateway

2010-10-15 Thread Samuli Seppänen 

> dear all,
>
> a few days ago I deployed an ovpn solution in a medium sized company.
> One of the two ends of the vpn network is passing through a proxy with
> NTLM authentication. ovpn has problems to recognize the authentication
> because immediately after sending the message type 1, the proxy sends
> no response, so I had to modify the source code by replacing the
> current message with a similar but different one.
>
> in particular this one:
>
> TlRMTVNTUAABAgIAAA==
>
>
> become:
>
> TlRMTVNTUAABB4IIogAFASgKDw==
>
>
> A detail of the work is available at:
>
> http://www.morzello.com/?p=350 (in Italian).
>
> I was wondering if you could have a function that supports this type
> of proxy (such as McAfee Web Gateway).
>
> thank you very much.
Hi,

I read your blog post, interesting stuff. The strings the client sends
seem to be base64 encoded and the first part on both messages look like
this (in nano/vi):

NTLMSSP

It's followed by this, which is apparently the message type hex string:

^@^A^@^@^@

After this they differ noticeably. I'd guess they are just sending
different NTLM flags:



Can somebody more fluent in NTLM protocol decipher these two messages?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] openvpn, NTLM and McAfee Web Gateway

2010-10-14 Thread openvpn 
dear all,a few days ago I deployed an ovpn solution in a medium 
sized company. One of the two ends of the vpn network is passing through
 a proxy with NTLM authentication. ovpn has problems to recognize the 
authentication because immediately after sending the message type 1, the
 proxy sends no response, so I had to modify the source code by 
replacing the current message with a similar but different one.in particular 
this 
one:TlRMTVNTUAABAgIAAA==become:TlRMTVNTUAABB4IIogAFASgKDw==A
 detail of the work is available at:http://www.morzello.com/?p=350 (in 
Italian).I was wondering if you could have a function that supports this type 
of proxy (such as McAfee Web Gateway).thank you very much.