Feature Request: HTTP proxy authentication

Marc-André Laverdière marc-andre at atc.tcs.com
Thu Jun 19 02:03:29 PDT 2014

FYI, I cloned from the git repo and built it.
I was able to connect to my VPN through the proxy without any glitches.

Marc-André Laverdière-Papineau
Researcher - e-Security Team
TCS Innovation Labs

On 06/19/2014 03:28 AM, David Woodhouse wrote:
> On Wed, 2014-06-18 at 18:14 +0100, David Woodhouse wrote:
>> On Wed, 2014-06-18 at 10:44 +0100, David Woodhouse wrote:
>>> I don't have access to a proxy requiring authentication. I could perhaps
>>> set up squid to require basic auth, but NTLM and Kerberos are harder. If
>>> I could have access to a proxy that requires such, then I might be more
>>> inclined to implement this myself...
>> It turns out to be relatively simple to set up a copy of squid to do
>> Basic, NTLM and Negotiate auth against Active Directory, so I've done
>> so.
>> I've pushed some initial changes which make Basic auth work, and I may
>> take a look at NTLM and Kerberos/GSSAPI if nobody beats me to it. Once
>> it's working, I may take another look at the structure of it.
> With what I pushed a few minutes ago NTLM now also works, although
> *only* the single-sign-on version using Samba's /usr/bin/ntlm_auth
> helper tool and winbind.
> Manual NTLM authentication where you actually give it the username and
> password isn't implemented — that's left as an exercise for the reader
> (hint: there's a LGPLv2-compatible implementation to copy from in
> https://git.gnome.org/browse/evolution-data-server/tree/camel/camel-sasl-ntlm.c which even supports NTLMv2. Around line 873 is the interesting part).
> I'm more likely to do GSSAPI next, rather than the boring gruntwork of
> porting that code over. But definitely not today. Do feel free to help
> out :)
> Reviewing the other code I've hastily thrown together may also prove
> fruitful...

More information about the openconnect-devel mailing list