GNOME Bugzilla – Bug 670394
Handle HTTP error 511 Network Authentication Required (standard secure proxy authentification/captive portal detection)
Last modified: 2015-08-07 16:25:00 UTC
Since https://bugzilla.mozilla.org/show_bug.cgi?id=479880 there is no clean way for a proxy or captive portal to get a client to display an authentication dialog when user credentials expire while he is browsing on an https website. (to be sure, the previous methods were insecure and hackish but they existed because nothing better was available) The IETF finally set up to fix this problem and defined a standard HTTP error that let access control equipments tell the client authentication or re-authentication is needed and where the authentication form is located. http://tools.ietf.org/id/draft-nottingham-http-new-status-04.txt (since error 511 uses out-of-band authentication it is possible for the client to only trust specific certs on error 511 and protect the user) -> <http://www.rfc-editor.org/queue2.html#draft-nottingham-http-new-status> (the spec is approved and in the queue for publication as RFC) NetworkManager should http-probe new networks (using an public website as target) and display the proxy/captive portal auth page if an error 511 is returned
Isn't this a dupe of bug 609870?
No, this RFE is a way to handle RFC-compliant portals, while I'm sure people will put all kinds of fugly workarounds under bug #609870
(btw the corresponding RFC has been finalized and published by the ietf now)
I'm working on that should push a series of patches very soon.
(In reply to comment #4) > I'm working on that should push a series of patches very soon. Still active?
I've sent them in February: https://mail.gnome.org/archives/networkmanager-list/2013-February/msg00031.html they were rejected, so, I'm not working on this anymore.
I don't think they were actively rejected, they just sort of stalled...
(In reply to comment #6) > I've sent them in February: > https://mail.gnome.org/archives/networkmanager-list/2013-February/msg00031.html > > they were rejected, so, I'm not working on this anymore. I don't see anything that would suggest rejection. If you are still interested, please let us know and be patient with us.
Pushed a patch to git master that explicity checks for 511 response. The actual parsing and URL stuff should be left to the portal login UI, which would be parsing the response anyway to look for WISPR or whatever other stuff a portal might send. 6a81daf1cb1fe68feb37296adcbcbcf7d2289d54
(In reply to Dan Williams from comment #9) > Pushed a patch to git master that explicity checks for 511 response. The > actual parsing and URL stuff should be left to the portal login UI, which > would be parsing the response anyway to look for WISPR or whatever other > stuff a portal might send. Can you file a bug against gnome-shell's portal helper component, describing what that would entail?
(In reply to Bastien Nocera from comment #10) > (In reply to Dan Williams from comment #9) > > Pushed a patch to git master that explicity checks for 511 response. The > > actual parsing and URL stuff should be left to the portal login UI, which > > would be parsing the response anyway to look for WISPR or whatever other > > stuff a portal might send. > > Can you file a bug against gnome-shell's portal helper component, describing > what that would entail? https://bugzilla.gnome.org/show_bug.cgi?id=753362