curl-library
Re: Problem with NEGOTIATE-Proxy-Authentication and not reusing underlying TCP-Connections
Date: Thu, 23 Oct 2014 09:55:15 +0200 (CEST)
On Wed, 22 Oct 2014, Stefan Bühler wrote:
> And afaict both authenticate the connection (both squid3 and MS Proxy work
> that way) and not the request. Negotiate is basically a wrapper around NTLM
> that also supports Kerberos; squid3 contains a negotiate_wrapper that takes
> a NTLM and a Kerberos authenticator
It is that two different actual protocols thing that has kept me confused,
because Kerberos authentication should be possible to do on a per-request
basis while NTLM is a per-connection thing. I'm now thinking that Negotiate
perhaps always have to be considered to be per-connection for it to work
properly.
This of course requires some adjustments in the code to make it so.
> So: IMHO the header should always be cleaned up, and the authentication
> states should be moved to the connection state; because Digest will break
> even with this patch, as you need the counter - Basic auth ofc works if you
> don't cleanup the header.
HTTP authentication is not associated to the exact TCP connection so it cannot
always be stored on a per-connection basis. HTTP and libcurl can keep the
authenticated state even when creating new connections to continue on.
Connection-based authentication methods are violators of the HTTP spec and
thus we handle them separately from the "normal" ones. We need to start
handling Negotiate as we handle NTLM I guess.
-- / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-23