cURL / Mailing Lists / curl-library / Single Mail


Re: RE: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token

From: Michael-O <>
Date: Wed, 28 May 2014 11:52:30 +0200

> Gesendet: Mittwoch, 28. Mai 2014 um 11:29 Uhr
> Von: "Yehezkel Horowitz" <>
> An: "libcurl development" <>
> Betreff: RE: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token
> >> I'm sorry but this is not my expert area. SPNEGO and Negotiate aren't
> >> the same things, are they? Can't you do Negotiate that isn't SPNEGO?
> > Technically, they are but different names for problem areas.
> >...
> > Further improvement will come here too from me. Clean up code and docs.
> There are servers that enforce you to use SPNEGO API which is implemented in fbopenssl, but most of servers will just accept Kerberos authentication for which you should use krb5 library (which also has GSS-API implementation for Kerberos authentication).
> I learned this by removing the SPNEGO support during configure phase of libcurl (as I thought this is very old API and no one use it anymore) and after that I got complains about servers that couldn't be connected (authenticated) with my library...

If a server requests Negotiate, it expects a SPNEGO token as per RFC 4178, if the server expects something else, that is custom. If your server requires Kerberos only, it should so advertise WWW-Authenticate: Kerberos. This is what Microsoft IIS and TMG (proxy) do. To implement that correctly, curl should implement both.
> >> After all, I thought the fbopenssl was almost extinct and I guess not
> >> many more than a handful of users ever built curl with it.
> Count me in this list of users (at least till no server will enforce SPNEGO).
> >Unfortunately, I have because there is no other way. I am working on improving libcurl to use GSS-API directly and then we can burry fbopenssl once and for all.
> AFAIK, GSS-API is implemented in krb5 library and libcurl use this API (and not Kerberos API), but for servers who enforce support of SPNEGO - you must use SPNEGO API (which the only open-source implementation I know is fbopenssl).
> BTW - what is the problem you are coming to fix?

Add --with-native-spnego and move --with-spnego to --with-fbopenssl-spnego. Most GSS-API now support SPNEGO out of the box, I want to implement that in libcurl finally. For those, wo don', can still compile wih fbopenssl, e.g. me here on HP-UX and stoneage MIT Kerberos.

List admin:
Received on 2014-05-28