curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Kerberos connections are not left open

From: Isaac Boukris <iboukris_at_gmail.com>
Date: Tue, 29 Nov 2016 19:45:18 +0200

Hi,

On Tue, Nov 29, 2016 at 1:33 PM, Lutfi Dwedari <lutfi.dwedari_at_pds.nl> wrote:
> I’m trying to implement a file uploader using libcurl. The authentication
> must be done using Kerberos. The issue that I’m encountering is that the
> file is being sent three times to the sever (one for each message of the
> handshake).

Are you sure it is Kerberos? It sounds more like NTLM over Negotiate
because Kerberos shouldn't take more two round-trips (of which the
first is due to a bug in libcurl), that is unless you have set
CURLAUTH_ANY.

The real problem however, is that we currently lack the logic to avoid
posting data before authentication is done in Negotiate auth, like the
logic we have in NTLM auth.
It should be noted that Negotiate is more complicated in this regard
than plain NTLM because it requires a variable number of requests to
complete authentication.

> Kerberos allow to reuse the same authentication token by using persisting
> connections.

Usually, Kerberos authentication is required per each request.
Though it is possible to persist authentication by tweaking the server side.

> So to avoid uploading the file multiple times, I first make a small request
> to the server (a kind of ping) to get the authentication done and then I
> make the upload POST request.
...
> I don’t completely understand the comment in the code, but apparently there
> is a limitation on the libcurl implementation that forces to close the
> connection. Is that right? Could someone confirm it or explain if this can
> be fixed?

That is correct, the limitation is because libcurl shares connections
between easy handles, and we (currently) have no way to determine what
user has authenticated the connection and what user wants to reuse it,
so we close the connection as soon as the transfer is complete as a
workaround.
This problem is probably not relevant for most curl users who use it
for a single user anyway but the limitation is still there.

> Depending on the answer to above questions I could try to set
> CURL_CONNECTION_ONLY at some callback run before the closing of connection.
> Does anyone have an idea of how to do this?

Don't use connect_only, it does not mean what you think it means (probably).

> Any other, suggestion to implement file upload with Kerberos authentication
> without transmitting the file multiple times?

If you have control over the libcurl library in use, and you know you
only use it for a single user, then maybe you could build your own
lib, with the connclose line you've mentioned above commented out.

HTH

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-29