thanks for documenting. X-Linked the Proxy threads here over at WCG, and already today someone reported success with the Anonymous Proxy Authentication work around.

http://www.worldcommunitygrid.org/forums/wcg/printpost?post=140818

Sekerob, it's a honour for me :-)

(hope any future changes to BOINC are not going to break those workarounds :?)

Maybe some network-aware Boinc folks should take a look at libCurl to get it fixed sooner? ;-)


BTW, cURL and libcurl release notes for 7.17.2 (planned for the December 2007 release) reports

11 This release includes the following changes:
14 o CURLOPT_PROXY_TRANSFER_MODE was added
15
16 This release includes the following bugfixes:
29 o Negotiate now works on auth and proxy simultanouesly

I hope this is a good news.

On the other hand, the Known cURL Bugs document says:

These are problems known to exist at the time of this release.

48. If a CONNECT response-headers are larger than BUFSIZE (16KB) when the
connection is meant to be kept alive (like for NTLM proxy auth), the
function will return prematurely and will confuse the rest of the HTTP
protocol code. This should be very rare.

37. Having more than one connection to the same host when doing NTLM
authentication (with performs multiple "passes" and authenticates a
connection rather than a HTTP request), and particularly when using the
multi interface, there's a risk that libcurl will re-use a wrong connection
when doing the different passes in the NTLM negotiation and thus fail to
negotiate (in seemingly mysterious ways).

33. Doing multi-pass HTTP authentication on a non-default port does not work.
This happens because the multi-pass code abuses the redirect following code
for doing multiple requests, and when we following redirects to an absolute
URL we must use the newly specified port and not the one specified in the
original URL. A proper fix to this would need to separate the negotiation
"redirect" from an actual redirect.

26. NTLM authentication using SSPI (on Windows) when (lib)curl is running in
"system context" will make it use wrong(?) user name - at least when compared
to what winhttp does. See http://curl.haxx.se/bug/view.cgi?id=1281867

10. To get HTTP Negotiate authentication to work fine, you need to provide a
(fake) user name (this concerns both curl and the lib) because the code
wrongly only considers authentication if there's a user name provided.
http://curl.haxx.se/bug/view.cgi?id=1004841. How?
http://curl.haxx.se/mail/lib-2004-08/0182.html

2. If a HTTP server responds to a HEAD request and includes a body (thus
violating the RFC2616), curl won't wait to read the response but just stop
reading and return back. If a second request (let's assume a GET) is then
immediately made to the same server again, the connection will be re-used
fine of course, and the second request will be sent off but when the
response is to get read, the previous response-body is what curl will read
and havoc is what happens.
More details on this is found in this libcurl mailing list thread:
http://curl.haxx.se/mail/lib-2002-08/0000.html

This possibly continues to be a bad news :o(

Peter

Thanks Peter.

I just give it a go with NTLMaps and it works great.
Even wcg ( at least download and update status ) works.

But I agree with you, lets hope that Boinc, one day, works again with ISA proxys.

Also, I can confirm, no need to set user or password in boinc, just localhost and port.
By the way, the LISTEN_PORT can be changed to something like 8080 as long as you set the same port in boinc.

Again, thanks,
Paulo

I can feel a fresh wind blowing from WCG:

knreed wrote:

Good news on the NTLM front. We have been working with the libCurl team to resolve this issue and there has been some good progress.

We will be releasing a new version of the client in the next 2-3 weeks that will support NTLM authentication. At the moment there will still be one problem that will require a workaround the user must do (i.e. manually set a flag in the cc_config.xml file).

We are continuing to work to eliminate the workaround and hope to have that resolved in the next day or two. If we cannot get it resolved quickly, then we will go ahead and have the BOINC team go ahead and release a version of the client for testing that will allow NTLM to at least work with this workaround. Then in some future release we can hopefully fix the problem in its entirety so that NTLM auth will work automatically.

Peter

There is Boinc 5.10.40, again one version after extended period of time, which works for me when getting through authenticated NTLM proxy server. Kudos to all parties involved!

(In the mean time, one possible issue was already mentioned in BOINC Manager : 5.10.40 x86 / Windows "Longhorn" thread.)

Peter

There is Boinc 5.10.40, again one version after extended period of time, which works for me when getting through authenticated NTLM proxy server. Kudos to all parties involved!

(In the mean time, one possible issue was already mentioned in BOINC Manager : 5.10.40 x86 / Windows "Longhorn" thread.)

Peter

At WCG is reported that 5.10.41 opened up the floodgates for other versions of proxy as well. The fixing of this and getting thru with secure communications is major. http://www.worldcommunitygrid.org/forums/wcg/printpost?post=150097

Hint!
If your boinc-version get in troubles with http-proxy use socks-proxy instead. I don't know why, but all my used version from 5.4.X over 5.8.X to 5.10.30 had no problems with auth-socks connections.

Hint!
If your boinc-version get in troubles with http-proxy use socks-proxy instead. I don't know why, but all my used version from 5.4.X over 5.8.X to 5.10.30 had no problems with auth-socks connections.

Tried already years ago... to no avail. Probably depends on particular proxy server, what's everything configured there to pass through.

Peter

Hint!
If your boinc-version get in troubles with http-proxy use socks-proxy instead. I don't know why, but all my used version from 5.4.X over 5.8.X to 5.10.30 had no problems with auth-socks connections.

Tried already years ago... to no avail. Probably depends on particular proxy server, what's everything configured there to pass through.

Peter

i have forgot to say socks5-proxy. with socks4 also avail...