Da: "Jan Just Keijser" janj...@nikhef.nl A: "openvpn" open...@lucullo.it Cc: openvpn-devel@lists.sourceforge.net Data: Mon, 18 Oct 2010 12:58:35 +0200 Oggetto: Re: [Openvpn-devel] openvpn, NTLM and McAfee Web Gateway
> openvpn wrote: > > dear all, > > > > a few days ago I deployed an ovpn solution in a medium sized company. > > One of the two ends of the vpn network is passing through a proxy with > > NTLM authentication. ovpn has problems to recognize the authentication > > because immediately after sending the message type 1, the proxy sends > > no response, so I had to modify the source code by replacing the > > current message with a similar but different one. > > > > in particular this one: > > > > TlRMTVNTUAABAAAAAgIAAA== > > > > > > become: > > > > TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== > > > > > > A detail of the work is available at: > > > > http://www.morzello.com/?p=350 (in Italian). > > > > I was wondering if you could have a function that supports this type > > of proxy (such as McAfee Web Gateway). > > > I applied your "patch" and I still cannot get it to work for my > httpd+mod_ntlm (NTLMv1 only) installation. The NTLM handshake that > OpenVPN does is broken. Without the patch Wireshark tells me the first > NTLMSPP message is invalid > http://www.nikhef.nl/~janjust/openvpn/openvpn-ntlm-error1.png > If I change the phase_1 NTLM message to the above I get one step further > but then it breaks at the next packet: > http://www.nikhef.nl/~janjust/openvpn/openvpn-ntlm-error2.png > It seems the Windows domain and username are not stored properly inside > the request. The same httpd+mod_ntlm installation works flawlessly using > Internet Explorer 7: in that case the domain and user name are encoded > just fine. > > What am I doing wrong? > > cheers, > > JJK > Sorry Jan, mine was a dirty job in order to quick solve my problem. I think the correct way to solve the issue is to deeper study the NTLM and NTLMv2 standard. the error 1 is the same i've got before patching the code but i didn't spent much time to analyze the issue. I can try to solve the problem if someone can test the results (with community agreement). have a nice day, vittorio
