PuTTY semi-bug msproxy-denied

Home | Licence | FAQ | Docs | Download | Keys | Links
Mirrors | Updates | Feedback | Changes | Wishlist | Team

summary: Connections through MS Proxy Server (HTTP) are spuriously denied
class: semi-bug: This might or might not be a bug, depending on your precise definition of what a bug is.
difficulty: fun: Just needs tuits, and not many of them.
priority: medium: This should be fixed one day.
present-in: 0.53b 2002-12-30
fixed-in: 2003-03-19 (0.54) (0.55) (0.56) (0.57) (0.58) (0.59) (0.60) (0.61) (0.62)

Original report (<007801c2b108$5ad5a200$33db8ad8@alexin.ca>):

I believe I have found a bug in Win32 putty .53b. (found in Win2000,
also tested current dev binary).  I am connection to a NetBSD server 1.6
running OpenSSH 3.4 on port 443, but had the same problem on an OpenBSD
server with OpenSSH 3.4.

I am connecting through an authenticated Microsoft Proxy server v2 on
Windows 2000, using HTTP proxy services.


Using Putty, the connection conversation is: 

 CONNECT 216.138.219.54:443 HTTP/1.1
 Host: 216.138.219.54:443
 Proxy-Authorization: basic YW1leeljYXNcc3RldmVfYmFya2V5OmluZXNzMTA=

 HTTP/1.1 407 Proxy Access Denied
 Server: Microsoft-IIS/5.0
 Date: Tue, 31 Dec 2002 19:32:43 GMT
 Connection: close
 Proxy-Authenticate: Negotiate
 Proxy-Authenticate: NTLM
 Proxy-Authenticate: Basic realm="53.244.73.245"

And the connection fails with putty event log: 
"2002-12-31 14:48:08    Connecting to 216.138.219.54 port 443
2002-12-31 14:48:08     Proxy error: 407 Proxy Access Denied"


Using MindTerm 2.0 (an inferior java ssh client), the connection
conversation is:

 CONNECT 216.138.219.54:443 HTTP/1.0
 proxy-connection: Keep-Alive
 pragma: No-Cache
 user-agent: MindTerm/$Name:  $

 HTTP/1.1 407 Proxy Access Denied
 Server: Microsoft-IIS/5.0
 Date: Tue, 31 Dec 2002 19:33:05 GMT
 Proxy-Authenticate: Negotiate
 Proxy-Authenticate: NTLM
 Proxy-Authenticate: Basic realm="53.244.73.245"

----------- and then -----------

 CONNECT 216.138.219.54:443 HTTP/1.0
 proxy-authorization: Basic YW1leeljYXNcc3RldmVfYmFya2V5OmluZXNzMTA=

 proxy-connection: Keep-Alive
 pragma: No-Cache user-agent: MindTerm/$Name:  $

 HTTP/1.1  200 Connection established
 Via: 1.1 YYZXPROXY01

 SSH-1.99-OpenSSH_3.4 NetBSD_Secure_Shell-20020626
 SSH-2.0-MindTerm_2.0 2.0 (non-commercial)
 
... encrypted, successful connection ....

Another user has experimented with this, and concluded that the problem is that the proxy insists that the authentication scheme be "Basic" rather than "basic". RFC 2617 states that the scheme token is case-insensitive, but in the interests of being conservative in what we send, PuTTY should probably use "Basic".

This bug should be fixed as of proxy.c rev 1.27.

Audit trail for this semi-bug.


If you want to comment on this web site, see the Feedback page.
(last revision of this bug record was at 2004-11-16 15:27:00 +0000)