Hi Joe,

> > The current SMTP implementation performs the selection based on
> > what we think is the most secure ;-) I think this needs to change to
> > honour what the server has told us, however, I'm not too sure
> > whether there is a valid use case for an application using curl to
> > override that and say actually, I want to use NTLM before GSSAPI (in
> > the above examples).
>
> We would you want to use the order the server lists? In the HTTP
> world, the standard is to choose the most secure auth available, to
> guard against broken servers that just return their supported auth
> methods in random order (say, the order they appear in a config file).
> I'd be surprised to find that there don't exist broken SMTP servers that
> put the least secure before the most secure. What value is there in
> choosing a less secure auth scheme when the server has indicated
> that it supports a more secure one?

Over the last month or so I've started to come to the conclusion that, like
you mention above, servers can and will send the list to the client in
whatever order they feel like. As such I don't think there is much point in
worrying about the order of authentication mechanisms at the moment.

Kind Regards

Steve

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-07-07