cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: krb4 and CURLOPT_KRBLEVEL

From: Steve Holme <steve_holme_at_hotmail.com>
Date: Sun, 16 Nov 2014 00:19:26 +0000

On Sat, 15 Nov 2014, Dan Fandrich wrote:

> I though you were removing support of the option from the curl tool, in which case it
> work abort with "curl: option --krb: is unknown".

Ultimately I was trying to determine if this option is used and whether I need to support it in the SASL Kerberos 5 work I am doing at the moment - I appreciate that my first email started with more focus on this :(

As a side note, I then wanted to raise whether it should be removed from a) curl tool and b) libcurl if it isn't used anymore.

My patch addressed part a - and was more to highlight the area of code I was talking about and how it is currently testing to see if krb4 is present as a feature.

However, if we were to remove it (as per my patch) is that such a hardship especially as krb4 has gone - never (probably) to return? At the end of the day the output you mentioned is purely textual and it saves having an usused option in --help which can't be used ;-)

As far as I know both code paths result in an error level of 2 - so from a scripting point of view it wouldn't make any difference?

> > > PROT is used for generic TLS encryption and has nothing to do with
> > > Kerberos directly, as I understand it (maybe it has some subtle semantic
> > > difference there).
> >
> > I'm confused now :(
>
> I haven't looked at the code for any of this, but PROT P is sent for FTP when the
> --ssl option is given. Perhaps --krb enables --ssl as well by default.

Okay - That makes a bit more sense as well.

However, I don't believe Kerberos can be used for SSL - it can handle message encyption (so it has an element of similarity to SSL) but it wouldn't be on an SSL port and it doesn't have any of the certificate stuff (that I know of) to worry about.

The thing I'm not sure about is whether it's encryption layer can be used separately from the authentication that it provides.

If it can, then --krb serves some purpose - however --ftp-sec-level would be a more appropriate name for it ;-)

Kind Regards

Steve

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-11-16