views:

1169

answers:

3

Hello,

urllib2 doesn't seem to support HTTPS with proxy authentication in general, even less with NTLM authentication. Anyone knows if there is a patch somewhere for HTTPS on proxy with NTLM authentication.

Regards,

Laurent

A: 

http://code.google.com/p/python-ntlm/

I never tried with HTTPS but I think it should work.

EDIT: If you are using SSL Tunneling, proxy authentication is a bad idea.

Proxy using Basic Auth over HTTPS is not secure when the SSL is tunneled. Your password will be sent in clear (Base64-encoded) to proxy. Lots of people assumes the password will be encrypted inside SSL. It's not true in this case.

It's almost impossible to support other encrypted or hashed mechanisms like Digest/NTLM because they all require negotiation (multiple exchanges) and that's not defined in CONNECT protocol. This negotiation happens out of the band of the HTTP connection. It's very hard to implement in proxy/browser also.

If this is an enterprise proxy, IP ACL is the only secure solution.

ZZ Coder
HTTPS doesn't work with proxy using authentication in urllib2 because it seems that the CONNECT request doesn't pass the credentials. I was hoping someone had a patch for HTTPS with proxy using NTLM.
Laurent Luce
You are talking about HTTPS tunneling (proxy CONNECT). That's impossible to pass credentials. Proxy only gets destination host/port and everything else is encrypted. The only security you can impose on a tunnel is IP-based ACL.
ZZ Coder
In case of proxy with authentication (basic authentication for example), you need to pass the credentials in the connect command:"Proxy-Authorization: username/password hashed"It is a tunnel but you still need to authenticate with the proxy.
Laurent Luce
See my edits ............
ZZ Coder
A: 

Good recipe (for HTTPS w/proxy) and discussion here, it should be possible to meld that with the python-nltm code @ZZ has already suggested.

Alex Martelli
That recipe works well in case of proxy with no authentication. It doesn't work in case of basic, digest or NTLM authentication. We have it working fro basic authentication but we are looking for some help in case of NTLM authentication.
Laurent Luce
+2  A: 

Late reply. Urllib2 does not support NTLM proxying but pycurl does. Excerpt:

self._connection = pycurl.Curl()
self._connection = httplib.HTTPSConnection(YOUR_URL)
self._connection.setopt(pycurl.PROXY, PROXY_HOST)
self._connection.setopt(pycurl.PROXYPORT, PROXY_PORT)
self._connection.setopt(pycurl.PROXYUSERPWD,
                        "%s:%s" % (PROXY_USER, PROXY_PASS))
...
lemonad