This is the mail archive of the cygwin mailing list for the Cygwin project.
Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]
Re: Https proxy auth issue with git in cygwin 2.2.1

From: LukaszPielak <pielak at gmail dot com>
To: cygwin at cygwin dot com
Date: Fri, 25 Sep 2015 07:13:07 +0000 (UTC)
Subject: Re: Https proxy auth issue with git in cygwin 2.2.1
Authentication-results: sourceware.org; auth=none
References: <CAFkLm6xW=5uUP+CRrmUontqPzqAZ+r4WdwjVAhP+XTvs53JmFQ at mail dot gmail dot com> <20150921103100 dot GF14466 at dinwoodie dot org>
Adam Dinwoodie <adam <at> dinwoodie.org> writes:

> 
> On Mon, Sep 21, 2015 at 08:54:39AM +0200, Lukasz Pielak wrote:
> > In the latest Cygwin 2.2.1. git doesnât work with proxy 
authentication.
> 
> What do you mean by proxy authentication here?  What do you have
> configured, and how?
> 
> > The git version is 2.5.1 and the curl version is 7.43.
> > The error prints fatal: unable to access
> > 'https://github.com/mockito/mockito.git/': Unknown SSL protocol 
error
> > in connection to github.com:443
> 
> WJFFM with those versions, but then I'm not using any sort of web 
proxy.
> 
> > In my previous Cygwin 1.7.35 (with curl 7.41) this problem didnât
> > exist. Git for windows (git 2.5.1 version, but curl is 7.44) seems 
to
> > work too.
> 
> Are you able to test any other combinations of these?  I don't think 
the
> results for Git for Windows are going to be particularly informative -
-
> there are too many variables between that build and Cygwin's -- but
> knowing whether it's the bump from Cygwin v1.7.35 to v2.2.1, or from
> Curl v7.41 to v7.43, would be potentially useful.
> 
> > I assume that  there is a bug in curl rather than in git.
> 
> As an interim solution, does using ssh instead of https work?
> 
> 

Hi Adam

ssh over https is unfortunately not an option.

I experimented with with curl instead of git a bit:

With --proxy-negotiate i get:

curl -v --proxy webproxy.mycorp.com:8080 --proxy-user myuser:mypasswd
--proxy-negotiate http://mirror.provider.org/package.rpm
* STATE: INIT => CONNECT handle 0x80048388; line 1075 (connection 
#-5000)
* Added connection 0. The cache now contains 1 members
*   Trying 10.105.36.151...
* STATE: CONNECT => WAITCONNECT handle 0x80048388; line 1128 (connection 
#0)
* Connected to webproxy.mycorp.com (10.105.36.151) port 8080 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x80048388; line 1225
(connection #0)
* STATE: SENDPROTOCONNECT => DO handle 0x80048388; line 1243 (connection 
#0)
> GET http://mirror.provider.org/package.rpm HTTP/1.1
> Host: mirror.provider.org
> User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* STATE: DO => DO_DONE handle 0x80048388; line 1322 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x80048388; line 1449 (connection 
#0)
* STATE: WAITPERFORM => PERFORM handle 0x80048388; line 1459 (connection 
#0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 407 Proxy Authentication Required
* gss_init_sec_context() failed: : SPNEGO cannot find mechanisms to 
negotiate
< Proxy-Authenticate: NEGOTIATE
< Proxy-Authenticate: NTLM
< Proxy-Authenticate: BASIC realm="BCAAA"
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
* HTTP/1.1 proxy connection set close!
< Proxy-Connection: close
< Set-Cookie: BCSI-CS-d71134cd838e0ff2=2; Path=/
< Connection: close
< Content-Length: 1551
<
<html>
<head>
<title>Access Denied</title>
</head>

With proxy-ntlm it seems to work though

curl -v --proxy webproxy.mycorp.com:8080 --proxy-user myuser:mypasswd
--proxy-ntlm http://mirror.provider.org/package.rpm
* STATE: INIT => CONNECT handle 0x80048388; line 1075 (connection 
#-5000)
* Added connection 0. The cache now contains 1 members
*   Trying 10.105.36.151...
* STATE: CONNECT => WAITCONNECT handle 0x80048388; line 1128 (connection 
#0)
* Connected to webproxy.mycorp.com (10.105.36.151) port 8080 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x80048388; line 1225
(connection #0)
* STATE: SENDPROTOCONNECT => DO handle 0x80048388; line 1243 (connection 
#0)
* Proxy auth using NTLM with user 'myuser'
> GET http://mirror.provider.org/package.rpm HTTP/1.1
> Host: mirror.provider.org
> Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
> User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* STATE: DO => DO_DONE handle 0x80048388; line 1322 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x80048388; line 1449 (connection 
#0)
* STATE: WAITPERFORM => PERFORM handle 0x80048388; line 1459 (connection 
#0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 407 Proxy Authentication Required
< Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAABwAHADgAAAAGgokCrqa74bTKLosAAAAAAAAAAHYAdgA/AAAABgGxHQAA
AA9OVC1TQkIxAgAOAE4AVAAtAFMAQgBCADEAAQAMAEkANgA4ADUANgA4AAQADABzAGIAYgAu
AGMAaAADABoAaQA2ADgANQA2ADgALgBzAGIAYgAuAGMAaAAFABIAYQBkAHIAYQBpAGwALgBj
AGgABwAIAOjj+Rta9dABAAAAAA==
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Proxy-Connection: Keep-Alive
< Set-Cookie: BCSI-CS-d71134cd838e0ff2=2; Path=/
< Connection: Keep-Alive
< Content-Length: 1568
<
* Ignoring the response-body
* Curl_done
* Connection #0 to host webproxy.mycorp.com left intact
* Issue another request to this URL: 
'http://mirror.provider.org/package.rpm'
* STATE: PERFORM => CONNECT handle 0x80048388; line 1593 (connection 
#-5000)
* Found bundle for host mirror.provider.org: 0x8005b3f0
* Re-using existing connection! (#0) with proxy webproxy.mycorp.com
* Connected to webproxy.mycorp.com (10.105.36.151) port 8080 (#0)
* STATE: CONNECT => DO handle 0x80048388; line 1121 (connection #0)
* Proxy auth using NTLM with user 'myuser'
> GET http://mirror.provider.org/package.rpm HTTP/1.1
> Host: mirror.provider.org
> Proxy-Authorization: NTLM 
TlRMTVNTUAADAAAAGAAYAEAAAACmAKYAWAAAAAAAAAD+AAAABwAHAP4AAAAGAAYABQEAAAAA
AAAAAAAABoKJAhvGb+LTOmku2XPOiA6YSDWn4N5/nvfBGSXfJmwNZpFtA+BoIeymbekBAQAA
AAAAAIANcRta9dABp+Def573wRkAAAAAAgAOAE4AVAAtAFMAQgBCADEAAQAMAEkANgA4ADUA
NgA4AAQADABzAGIAYgAuAGMAaAADABoAaQA2ADgANQA2ADgALgBzAGIAYgAuAGMAaAAFABIA
YQBkAHIAYQBpAGwALgBjAGgABwAIAOjj+Rta9dABAAAAAAAAAAB1ZTYzNjYySzExMjYz
> User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* STATE: DO => DO_DONE handle 0x80048388; line 1322 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x80048388; line 1449 (connection 
#0)
* STATE: WAITPERFORM => PERFORM handle 0x80048388; line 1459 (connection 
#0)
* HTTP 1.0, assume close after body
< HTTP/1.0 302 Found
< Location: http://mirror.provider.org/notify-NotifySplashOrange?
aHR0cDovL21pcnJvci5wcm92aWRlci5vcmcvcGFja2FnZS5ycG0=
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Proxy-Connection: close
< Connection: close
< Content-Length: 1449
<
<html>
<head>
<title>Redirect</title>
</head>
<body>

Now I switched back to the old cygwin and tried the same

{ ~ }  Â uname -a
CYGWIN_NT-6.1-WOW K11263 1.7.35(0.287/5/3) 2015-03-04 12:07 i686 Cygwin
{ ~ }  Â curl --version
curl 7.41.0 (i686-pc-cygwin) libcurl/7.41.0 OpenSSL/1.0.2a zlib/1.2.8
libidn/1.29 libssh2/1.5.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: Debug IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
NTLM_WB SSL libz TLS-SRP UnixSockets Metalink
{ ~ }  Â git --version
git version 2.1.4


curl -v --proxy webproxy.mycorp.com:8080 --proxy-user myuser:mypasswd
--proxy-negotiate http://mirror.provider.org/package.rpm
* STATE: INIT => CONNECT handle 0x800481f8; line 1034 (connection 
#-5000)
* Added connection 0. The cache now contains 1 members
*   Trying 10.105.36.152...
* STATE: CONNECT => WAITCONNECT handle 0x800481f8; line 1087 (connection 
#0)
* Connected to webproxy.mycorp.com (10.105.36.152) port 8080 (#0)
* STATE: WAITCONNECT => DO handle 0x800481f8; line 1229 (connection #0)
> GET http://mirror.provider.org/package.rpm HTTP/1.1
> User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))
> Host: mirror.provider.org
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* STATE: DO => DO_DONE handle 0x800481f8; line 1314 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x800481f8; line 1441 (connection 
#0)
* STATE: WAITPERFORM => PERFORM handle 0x800481f8; line 1454 (connection 
#0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 407 Proxy Authentication Required
* gss_init_sec_context() failed: : SPNEGO cannot find mechanisms to 
negotiate
< Proxy-Authenticate: NEGOTIATE
< Proxy-Authenticate: NTLM
< Proxy-Authenticate: BASIC realm="BCAAA"
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
* HTTP/1.1 proxy connection set close!
< Proxy-Connection: close
< Set-Cookie: BCSI-CS-7390672db2e928d5=2; Path=/
< Connection: close
< Content-Length: 1551
<
<html>
<head>
<title>Access Denied</title>
</head>
<body>

As you can see i still get the error, but git seems to work:

{ mockito } master Â git pull
Already up-to-date.

This makes me think that it is rather a change in the recent git 
version. To me it looks like git changed the way it makes a curl call.

Unfortunately this doesn't resolve my issues, I still need to use git
over https in cygwin. Any hints?

Cheers
Lukasz
References:
- Https proxy auth issue with git in cygwin 2.2.1
  - From: Lukasz Pielak
- Re: Https proxy auth issue with git in cygwin 2.2.1
  - From: Adam Dinwoodie
Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]