Polygraph v3.1.5 available

Alex Rousskov rousskov at measurement-factory.com
Thu Mar 13 17:44:02 UTC 2008

Hi there,

	Polygraph version 3.1.5 is now available at

This major public release includes NTLM authentication support. NTLMSPP
authentication is working in our tests. GSSAPI (a.k.a., SPNEGO)
algorithm is implemented but untested (we are waiting for a proxy with
GSSAPI support). Authentication documentation is available at

This release also includes foreign content handling improvements,
portability improvements and bug fixes. The code has been in use by
Factory customers for a while and appears to be stable. The change log
for the entire 3.1 branch is quoted below.


----------- change log -----------------
version 3.1.5

- Initial and mostly untested support for NTLM/GSSAPI proxy
  authentication. We need to find a proxy that supports
  NTLM/GSSAPI to test this feature.

- Added support for recycling or sharing of SSL certificates that
  have identical generation parameters. The support is enabled
  by setting PGL SslWrap::sharing_group to a non-empty string.
  The certificates within the same group will be shared if their
  openssl generation commands are the same.
  Sharing provides significant speedup in Polygraph start times
  when hundreds of servers require certificate generation.
- Some Linux kernels have gettimeofday bugs that cause time
  jumps of approximately 72 minutes, especially on SMP systems.
  We saw it on an 8-CPU box running 2.6.18-8.el5. For 2002
  discussion, start at
  We now try to ignore individual jumps exceeding 60 minutes. If
  the time did change, the change will be honored during the
  second gettimeofday() call.

- Make NTLM code compile when SSL is disabled. Polygraph will
  assert if NTLM is used without SSL support because it needs
  SSL code for NTLM.

- Removed extra terminating CRLF after CONNECT headers.

version 3.1.4

- Use the first (top) supported Proxy-Authenticate method
  instead of the last one.

- Use the last '@' in NTLM credentials to separate the host name
  from the user name because the user name itself may contain '@'.

- Robots were not parsing some CONNECT responses correctly.

- Send full Request URL only if we are talking directly to a
  proxy. Sending an HTTP request inside the CONNECT transaction
  is not talking directly to a proxy.

- Do not try to parse content as markup if we are not going to
  request embedded objects due to non-positive embed_recur.

version 3.1.3

- Tolerate binary log "level" statistics with negative mean level
  data, which may be caused by level sum overflow.

- Fixed --log and --sample_log command-line option descriptions.
  (Mikhail Fedotov).

- Removed no longer used or maintained nmake-specific Makefiles.

version 3.1.1

- Fixed the 'theInOff <= theCapacity' assertion.

version 3.1.0

- Support client-side NTLM authentication with proxies.

- Fixed a bug resulting in a stuck client transaction when the
  HTTP request did not fit into a single I/O.

- Make GCC4 on Ubuntu6 happier (Mikhail Fedotov).

More information about the Users mailing list