cURL / Mailing Lists / curl-library / Single Mail



From: Julien Chaffraix <>
Date: Wed, 27 Jul 2011 09:43:41 -0700

On Mon, Jul 25, 2011 at 3:28 AM, Kamil Dudka <> wrote:
> On Fri July 22 2011 20:07:06 Daniel Stenberg wrote:
>> Richard Silverman commented the following, which I believe didn't make it
>> through to the list:
>> ----
>> At least in the MIT Kerberos GSSAPI implementation, if you set
>> GSS_C_DELEG_POLICY_FLAG for gss_init_sec_context(), it will delegate if and
>> only if the OK-AS-DELEGATE flag is set in the service ticket.  So, I
>> propose three options for curl behavior:
>> 1) no delegation (default)
>> 2) delegate, but only if the ticket has OK-AS-DELEGATE
>> 3) unconditional delegation
>> ----
> Richard's proposal is now reflected in my incremental patch.  I am attaching
> both patches to be applied.  CURLOPT_GSSAPI_DELEGATION now takes values 0..2,
> 0 means 'no delegation' (default), 1 means 'delegate, but only if the ticket
> has OK-AS-DELEGATE' as long as this is supported by the GSSAPI implementation
> (otherwise equal to 0), and 2 means 'unconditional delegation'.

Just a couple of nits but it looks good to me. I guess Richard should
be the one to weight in if he feels this meets his needs.

* 0, 1, 2 don't make good options, I can't remember if it possible to
use an enum on our options but I would favor that (at least
internally). If not, named constants that people could use like:


would make the API, documentation and code more readable.

* It would be neat to mention GSS_C_DELEG_POLICY_FLAG in the
documentation as this is an external dependency that we have and it
will impact our behavior. Maybe it could be a new feature as this is
determined at compile time.


List admin:
Received on 2011-07-27