cURL / Mailing Lists / curl-library / Single Mail


Re: Order of HTTP auth schemes

From: Yves Arrouye <>
Date: Wed, 27 Mar 2013 15:32:51 -0700

I also think that the server was the issue: if it advertises many
authentication schemes but does not work with all of them, maybe it should
not advertise the ones that it doesn't work with! Was the server a
commonly available one?


On 3/27/13 3:09 PM, "Daniel Stenberg" <> wrote:

>On Wed, 27 Mar 2013, Joe Mason wrote:
>> When a site advertises several HTTP auth schemes in a 401 response, the
>> agent is expected to choose the "best" that it supports. The standard
>> practice is to use the order:
>> Negotiate
>> Digest
>> Basic
>> See
>> for example:
>I've read most of the available HTTP auth specs at least twice. I'm quite
>that there's no such thing as a prio list anywhere in any HTTP (auth)
>But sure, Chromium clearly uses that order and since the brower teams
>tend to
>copy each other very closesly I can quickly guess that all the other big
>browsers do it in the same way.
>> curl prioritizes "Digest" ahead of "NTLM":
>> What's the reason for this, and would you be open to swapping it?
>I came up with our existing order and as I'm not convinced that NTLM is
>automatically a better auth than Digest, I made Digest preferred since it
>is a real documented standard and B) follows HTTP paradigms that NTLM
>I'm open to changing the order, sure.
>> I wonder if there should be an option to set the priorities for each -
>> although I recommend hardcoding BASIC to be the lowest priority.
>I've considered but I've never figured out a proper use case for when
>would actually want a different order. The point of the order is to
>select one
>out of N working ones. It shouldn't be possible to select the wrong one
>from a
>functional stand-point, so the list should really be in a rough "most
>order and I can't think of good reasons why the secure order would
>change. Can
>But then we've also had similar considerations for the auth methods for
>of the emailing protocols so possibly there is something we should do
>> I found a server with a broken Digest setup. Every desktop browser I
>> used NTLM auth and was able to log in fine, but our curl-based browser
>> Digest and the server wouldn't accept any passwords. Users complained.
>So it helped you find a problem in that server! ;-P
> /
>List admin:

List admin:
Received on 2013-03-27