OpenVPN – NTLM e quel proxy infame

Posted by vittorio on 13 ottobre 2010 Leave a comment (11) Go to comments

Questo articolo è rivolto a coloro che hanno problemi a far dialogare OpenVPN con proxy che richiedono autenticazione NTLM.

Al momento della stesura di questo articolo, la versione di ovpn è la 2.1.3, versioni successive a questa potrebbero non soffrire dello stesso male.

Utilizzando l’autenticazione di tipo NTLM ho notato che la comunicazione si interrompe subito dopo l’invio del messaggio di tipo 1 da parte del client. In pratica il proxy non si degna di dare una risposta negativa o positiva che sia.

Per maggiori informazioni sulla comunicazione tipo NTLM potete visitare il sito:

http://davenport.sourceforge.net/ntlm.html

Dando uno sguardo al codice sorgente ho notato che la stringa inviata dal client al proxy è la seguente:

TlRMTVNTUAABAAAAAgIAAA==

ed è una costante definita nel file ntlm.c

Dopo aver portato a termine qualche prova con uno sniffer di rete mi sono accorto che altri prorammi come ad esempio firefox, funzionano perfettamente con il proxy così mi sono chiesto quali fossero le differenze. In effetti il messaggio di fase 1 inviato dal browser è sostanzialmente diverso:

TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

e sembra essere più gradito.

A questo punto ho modificato il codice sorgente nell’unica riga necessaria:

const char *
ntlm_phase_1 (const struct http_proxy_info *p, struct gc_arena *gc)
{
  struct buffer out = alloc_buf_gc (96, gc);
  /* try a minimal NTLM handshake
   *
   * http://davenport.sourceforge.net/ntlm.html
   *
   * This message contains only the NTLMSSP signature,
   * the NTLM message type,
   * and the minimal set of flags (Negotiate NTLM and Negotiate OEM).
   *
   */
  // buf_printf (&out, "%s", "TlRMTVNTUAABAAAAAgIAAA==");
   buf_printf (&out, "%s", "TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==");
  return (BSTR (&out));
}

e dopo aver ricompilato l’eseguibile, tutto funziona correttamente.

Alla prossima.

Development, Networking, System, , ,
Leave a comment

11 Comments.

  1. Rich Powell 29 luglio 2011 alle 17:23

    Thank you! This change worked for me….

  3. Naclador 9 novembre 2011 alle 10:03

    Hi,

    do you have a patched File for v2.2.1?
    because the Problem is in v2.2.1 too.

  4. vittorio 9 novembre 2011 alle 13:04

    Did you try to apply this anyway? I think we should submit a request in order to permanently solve this issue

  5. naclador 10 novembre 2011 alle 14:14

    Hi,

    i spend a whole night on building openvpn 2.2.1 with your patch…
    now i have two problems.

    1) If i use Visual Studio 2010, i can build and run openvpn.exe, but it can’t connet to my server because i always get the following:
    Thu Nov 10 14:02:05 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Nov 10 2011
    Thu Nov 10 14:02:05 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Thu Nov 10 14:02:05 2011 NOTE: OpenVPN 2.1 requires ‘–script-security 2′ or higher to call user-defined scripts or executables
    Thu Nov 10 14:02:05 2011 LZO compression initialized
    Thu Nov 10 14:02:05 2011 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Thu Nov 10 14:02:05 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Thu Nov 10 14:02:05 2011 RESOLVE: NOTE: proxy.xxxx.xxx resolves to 2 addresses
    Thu Nov 10 14:02:05 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Thu Nov 10 14:02:05 2011 Local Options hash (VER=V4): ’69109d17′
    Thu Nov 10 14:02:05 2011 Expected Remote Options hash (VER=V4): ‘c0103fa8′
    Thu Nov 10 14:02:05 2011 Attempting to establish TCP connection with xxx.xxx.xxx.xxx:8080 [nonblock]
    Thu Nov 10 14:02:05 2011 TCP: connect to xxx.xxx.xxx.xxx:8080 failed, will try again in 5 seconds: Operation would block (WSAEWOULDBLOCK)
    Thu Nov 10 14:02:10 2011 RESOLVE: NOTE: proxy.xxxx.xxx resolves to 2 addresses
    Thu Nov 10 14:02:10 2011 TCP: connect to yyy.yyy.yyy.yyy:8080 failed, will try again in 5 seconds: Operation would block (WSAEWOULDBLOCK)
    Thu Nov 10 14:02:15 2011 RESOLVE: NOTE: proxy.xxxx.xxx resolves to 2 addresses
    Thu Nov 10 14:02:15 2011 TCP: connect to xxx.xxx.xxx.xxx:8080 failed, will try again in 5 seconds: Operation would block (WSAEWOULDBLOCK)
    Thu Nov 10 14:02:20 2011 RESOLVE: NOTE: proxy.xxxx.xxx resolves to 2 addresses
    Thu Nov 10 14:02:20 2011 TCP: connect to yyy.yyy.yyy.yyy:8080 failed, will try again in 5 seconds: Operation would block (WSAEWOULDBLOCK)

    2) If i build it with Visual Studio 2008 i can’t run openvpn.exe, if i do, i only get an Messagebox with this error:
    Runtime Error!
    Programm: c:\Program Files\OpenVPN\bin\openvpn.exe
    R6034
    An Application has made an attempt to loade the C runtime library incorrectly.
    Please contact the application’s support team for more information.

    i have tested it with many versions of the msvcr90.dll but nothing worked.

  6. vittorio 10 novembre 2011 alle 16:25

    Hi, are you sure you reach the proxy server? do you have this issue with a non patched ver of openvpn?

  7. naclador 16 novembre 2011 alle 15:17

    I just know that the two Proxy IPs are correct and i think it can’t connect (your 2.1.4 fixed exe can).
    I’m not a c++ developer, 98% of my business ist Dot Net. i don’t know why the VS2008 version can’t even run.

  8. vittorio 16 novembre 2011 alle 18:14

    I’ll try to apply the current patch to the last software release if you like. Let me know.

  9. Naclador 17 novembre 2011 alle 09:06

    Yes please, that would be great!

  10. naclador 25 novembre 2011 alle 16:22

    Did it work?

  11. vittorio 25 novembre 2011 alle 16:28

    I sent you an email with a new exe but you didn’t reply.

Leave a Reply


[ Ctrl + Enter ]

WordPress Mobile Themes