cURL / Mailing Lists / curl-library / Single Mail

curl-library

SSL and basic authentication.

From: Josef Wolf <jw_at_raven.inka.de>
Date: Tue, 21 Oct 2008 21:13:09 +0200

Hello,

I am trying to understand how to correctly use curl with SSL and basic
authentication.

I started investigating because I tried to set up a git repository with
SSL and basic authentication. It seems to me like git don't uses libcurl
in a way as libcurl is meant to be used. But I am new to both, git _and_
libcurl, so I am not sure whether my guess is correct.

I have wrote more details about my setup in

http://marc.info/?l=git&m=122426078301793&w=2

But before I start asking questions about how git uses curl, I want to
get some basic understanding, so I did some tests.

First question is: what is the default place where curl searches for
CA certificates? I have to explicitly use the --cacert or the --capath
options if I want to use the certificates that come with openssl.

As a workaround, I put this into ~/.curlrc:

$ echo -- --capath /etc/ssl/certs > ~/.curlrc

Now I try authentication:

  $ curl https://test.host/git/test1/HEAD
  [ 401 error ]
  $ curl https://user@test.host/git/test1/HEAD
  [ 401 error ]
  $ curl --user user https://test.host/git/test1/HEAD
  Enter host password for user 'user':
  [ works ]

Curl asks me for a password and retrieves the file only if I supply
the --user option.

First problem is, prefixing user in front of hostname don't work.
IMHO, this is a bug in curl, since this format is explicitly documented.

Next problem is that curl don't ask credentials on a 401 error. Is
this really the right thing to do? I always thought that on 401,
the user-agent should present the realm, ask the user for credentials,
and finally retry the request with the supplied credentials. At least,
this is how I understand

http://en.wikipedia.org/wiki/Basic_access_authentication#Example

For example, libwww allows to install a callback to help the client
find out which user/password combination to supply for a given
URL/Realm combination.

Next, I try to find out how to use libcurl so that it asks me for a
password:

$ curl --libcurl x.c --user user https://test.host/git/test1/HEAD >/dev/null
Enter host password for user 'user':

The resulting source file retrieves the URL without asking me for a
password. When I remove the CURLOPT_USERPWD setting, the retrieval
fails again.

Opinions?
Received on 2008-10-21

This message: [ Message body ]
Next message: Dan Fandrich: "Re: HTTPS Support for Symbian Plateform"
Previous message: Emanuel Norrbin: "Re: transfer closed with outstanding read data remaining with Expect: 100-continue"
Next in thread: Dan Fandrich: "Re: SSL and basic authentication."
Reply: Dan Fandrich: "Re: SSL and basic authentication."
Reply: Daniel Stenberg: "Re: SSL and basic authentication."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]