cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Request to review the code changes for NTLMv2 Support in Curl

From: Prash Dush <pradush123_at_gmail.com>
Date: Tue, 28 Jan 2014 23:47:13 +0530

Hi Steve/Daniel,

Thank you for your efforts in making the NTLMv2 patch ready to merge after
the pending release.
Wanted to get a confirmation from you if NTLMv2 support will be released
with libcurl 7.36.0, or do we see it coming in a later release ?

Regards,
Prashant

On Sun, Jan 26, 2014 at 4:05 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:

> On Sat, 25 Jan 2014, Steve Holme wrote:
>
> I have these patches in a local branch here and am ready to apply them
>> after the pending release - unless anyone else has any other comments.
>> Note: I would recommend we combine some of the first 6 patches into a
>> single patch as I don't think there is any need to show the copyright, and
>> other minor corrections as separate commits but I wanted to list them
>> individually here so everyone can see the differences.
>>
>
> Thanks for grabbing the ball. I've glanced over your patches and they look
> fine and since I know you've looked at them at least slightly closer than
> me I'm confident enough they are in a good enough shape to get merged for
> testing pretty much immediately after 7.35.0.
>
> Option 1:
>>
>> Update the generated Type 3 message in the existing test harnesses to
>> contain the extra NTLMv2 information.
>>
>
> As long as we know the updated stuff also works fine with NTLMv1 servers I
> think this is fine. But...
>
> a) Add support for USE_NTLM_V2 so that developers can turn v2 support on
>> or
>> off
>>
>
> ... I think there may be reasons to allow applications at least to select
> NTLMv2 only. The reason for this being that NTLM is deemed insecure, or at
> least less secure than NTLMv2. For Firefox there's a discussion about
> disabling NTLMv1 completely:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=828183
>
> b) Add "NTLMv2" as a string in the curl features list - as displayed with
>> "curl --version"
>>
>
> But will there be any version/build of libcurl that supports NTLM but not
> NTLMv2 once we add this support?
>
> As a timestamp is included in the NTLMv2 information - the code will need
>> a minor tweak so that this timestamp is consistent in DEBUG builds and
>> doesn't vary - similar to what I have done with the MD5-DIGEST tests [4]
>> for IMAP, POP3 and SMTP. This will mean that the same timestamp is used
>> under debug builds so that the message generation is consistent.
>>
>
> Right, we already add the hostname in NTLM using that method so doing it
> for yet another field shouldn't be a biggie.
>
> --
>
> / daniel.haxx.se
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-01-28