cURL / Mailing Lists / curl-library / Single Mail


RE: Order of HTTP auth schemes

From: Joe Mason <>
Date: Wed, 27 Mar 2013 20:33:12 +0000

I sent this to the list a few minutes ago, but I forgot that I hadn't re-subscribed with my new email address, so it might have been eaten as a post from a non-member. Apologies if it comes through twice.

When a site advertises several HTTP auth schemes in a 401 response, the user agent is expected to choose the "best" that it supports. The standard practice is to use the order:


See, for example:

> When a server or proxy accepts multiple authentication schemes, our network stack selects the authentication
> scheme with the highest score:
> Basic: 1
> Digest: 2
> NTLM: 3
> Negotiate: 4
> The Basic scheme has the lowest score because it sends the username/password unencrypted to the server or
> proxy.

However, in the pickoneauth function, curl prioritizes "Digest" ahead of "NTLM":

    pick->picked = CURLAUTH_GSSNEGOTIATE;
  else if(avail & CURLAUTH_DIGEST)
    pick->picked = CURLAUTH_DIGEST;
  else if(avail & CURLAUTH_NTLM)
    pick->picked = CURLAUTH_NTLM;
  else if(avail & CURLAUTH_NTLM_WB)
    pick->picked = CURLAUTH_NTLM_WB;
  else if(avail & CURLAUTH_BASIC)
    pick->picked = CURLAUTH_BASIC;

What's the reason for this, and would you be open to swapping it?

I wonder if there should be an option to set the priorities for each - although I recommend hardcoding BASIC to be the lowest priority.

(I've actually looked at that code a hundred times and never noticed it wasn't NTLM than Digest, because the "standard order" was so ingrained into me, until I found a server with a broken Digest setup. Every desktop browser I tried used NTLM auth and was able to log in fine, but our curl-based browser chose Digest and the server wouldn't accept any passwords. Users complained.)

This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

List admin:
Received on 2013-03-27