cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token

From: Michael Osipov <1983-01-06_at_gmx.net>
Date: Fri, 11 Jul 2014 11:24:42 +0200

Am 2014-07-10 18:04, schrieb David Woodhouse:
> On Mon, 2014-05-26 at 22:50 +0200, Michael Osipov wrote:
>> Hi folks,
>>
>> I am the originator of this ticket but was not able to provide a
>> suitable patch up until now.
>> The changes and reasons in/for this patch:
>>
>> Due to missing #ifdefs, curl tries to perform SPNEGO auth even if it has
>> been compiled w/o fbopenssl SPNEGO library. Now, Negotiate works, if and
>> only if, SPNEGO support has bin compiled in, requiring GSS-API is
>> present and enabled --with-gssapi.
>>
>> Git diff: https://github.com/michael-o/curl/compare/HEAD...a893c7e
>>
>> Patch has been tested on Ubuntu and HP-UX.
>
> Wow, Curl has a very.... interesting way of implementing SPNEGO. Most
> people would just ask the GSSAPI library to do SPNEGO.
>

That is absolutely true. This is an area which I want to improve in curl
mid-term. The reason for fbopenssl was probably some one did not hav a
capable GSS-API version. I waiting for this patch to be merged and then
I could adapt configure.ac and patch the source code in a way were FTP
and SOCKS use KRB5_MECHANISM and HTTP uses SPNEGO_MECHANISM.

There is room for improvement.

Michael

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-11