On Wed, 22 Oct 2014, Stefan Bühler wrote:

> And afaict both authenticate the connection (both squid3 and MS Proxy work
> that way) and not the request. Negotiate is basically a wrapper around NTLM
> that also supports Kerberos; squid3 contains a negotiate_wrapper that takes
> a NTLM and a Kerberos authenticator

It is that two different actual protocols thing that has kept me confused,
because Kerberos authentication should be possible to do on a per-request
basis while NTLM is a per-connection thing. I'm now thinking that Negotiate
perhaps always have to be considered to be per-connection for it to work
properly.

This of course requires some adjustments in the code to make it so.

> So: IMHO the header should always be cleaned up, and the authentication
> states should be moved to the connection state; because Digest will break
> even with this patch, as you need the counter - Basic auth ofc works if you
> don't cleanup the header.

HTTP authentication is not associated to the exact TCP connection so it cannot
always be stored on a per-connection basis. HTTP and libcurl can keep the
authenticated state even when creating new connections to continue on.

Connection-based authentication methods are violators of the HTTP spec and
thus we handle them separately from the "normal" ones. We need to start
handling Negotiate as we handle NTLM I guess.

-- 
  / daniel.haxx.se

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-23