cURL / Mailing Lists / curl-library / Single Mail


Curl_sasl_build_spn does not do rDNS lookup when forming SPN

From: Wenlong Dong <>
Date: Sat, 17 Oct 2015 17:03:01 -0700


When Curl forms the service principal given the service name, it simply
formats the service principal name with "<service_name>/<host_name>" in
Curl_sasl_build_spn. The "<host_name>" is basically the host name part of
the URL. So if the host name is an IP address, the SPN would be wrong
according to the following doc:
>> In the case of a host, the instance is the fully qualified hostname,

Because of this, the kerberos ticket generated by KDC is unusable by the
service. What's worse is that JDK would pass on calling
GSSContext.acceptSecContext() silently but in fact it could not even get
the client's principal name. This affects SPNEGO scenario for libcurl.

Could libcurl perform a reverse DNS lookup to get the fully qualified


List admin:
Received on 2015-10-18