Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
[Regression since 8.18.0] SMTP GSSAPI authentication in curl_sasl skipped with --negotiate -u
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Alexandr Timofeev via curl-library <curl-library_at_lists.haxx.se>
Date: Tue, 19 May 2026 15:31:44 +0300
Hi all,
I've found a regression with curl.exe when sending mail over SMTP with
`--negotiate -u :` on Windows/SSPI.
Since curl 8.18.0, SMTP `--negotiate -u :` appears to skip
GSSAPI authentication.
Curl 8.16.0 sends `AUTH GSSAPI` and succeeds, while curl 8.18.0 and later
skip authentication with GSSAPI, proceed directly to `MAIL FROM`
and fail with 530 error.
Regression is still present in the latest curl master 8.21.0-DEV (aafbe08).
Test command:
curl --url smtp://smtp.acme.com:587 ^
--mail-from test_at_acme.com ^
--mail-rcpt test_at_acme.com ^
--upload-file test.txt -v --negotiate -u :
curl 8.16.0 output:
< 250-AUTH GSSAPI NTLM
...
> AUTH GSSAPI
< 334 GSSAPI supported
...
< 235 2.7.0 Authentication successful
> MAIL FROM:<test_at_acme.com> SIZE=164
...
curl 8.18.0 output:
< 250-AUTH GSSAPI NTLM
...
> MAIL FROM:<test_at_acme.com> SIZE=164
...
< 530 5.7.57 SMTP; Client was not authenticated to send anonymous
mail during MAIL FROM
* MAIL failed: 530
The regression appears to be related to commit 425a2aa [1]. This commit
may have inadvertently changed the logic in `Curl_sasl_can_authenticate()`.
Previously the if-statement checked for a non-NULL value,
but after the commit it checks for a non-EMPTY value:
- if(data->state.aptr.user)
+ if(data->conn->user[0])
For GSSAPI curl's own documentation says:
`--negotiate` must be used with `-u :` to provide a fake user value [2].
So in the above command the user value is actually present as an empty
string, but the new condition disallows it.
Environment:
- curl version: 8.18.0/8.16.0/8.21.0-dev (aafbe08)
- OS: Windows 11
- MS Exchange server version: 15.02.1748.010
Exchange Server 2019 CU15 (2025H1)
Full output from cmd.exe for
- curl 8.16.0;
- curl 8.18.0;
- curl master 8.21.0-DEV (aafbe08);
in attachments.
[1]: https://github.com/curl/curl/commit/425a2aa1af0fec9ab41fcc1bcb316b623cebccc7#diff-4ec22d96a9836e267309f30184d45955c259020b0d69eca4553e665747eeac6fL284-L287
[2]: https://curl.se/docs/manpage.html#--negotiate
Thanks,
Alexandr Timofeev
Date: Tue, 19 May 2026 15:31:44 +0300
Hi all,
I've found a regression with curl.exe when sending mail over SMTP with
`--negotiate -u :` on Windows/SSPI.
Since curl 8.18.0, SMTP `--negotiate -u :` appears to skip
GSSAPI authentication.
Curl 8.16.0 sends `AUTH GSSAPI` and succeeds, while curl 8.18.0 and later
skip authentication with GSSAPI, proceed directly to `MAIL FROM`
and fail with 530 error.
Regression is still present in the latest curl master 8.21.0-DEV (aafbe08).
Test command:
curl --url smtp://smtp.acme.com:587 ^
--mail-from test_at_acme.com ^
--mail-rcpt test_at_acme.com ^
--upload-file test.txt -v --negotiate -u :
curl 8.16.0 output:
< 250-AUTH GSSAPI NTLM
...
> AUTH GSSAPI
< 334 GSSAPI supported
...
< 235 2.7.0 Authentication successful
> MAIL FROM:<test_at_acme.com> SIZE=164
...
curl 8.18.0 output:
< 250-AUTH GSSAPI NTLM
...
> MAIL FROM:<test_at_acme.com> SIZE=164
...
< 530 5.7.57 SMTP; Client was not authenticated to send anonymous
mail during MAIL FROM
* MAIL failed: 530
The regression appears to be related to commit 425a2aa [1]. This commit
may have inadvertently changed the logic in `Curl_sasl_can_authenticate()`.
Previously the if-statement checked for a non-NULL value,
but after the commit it checks for a non-EMPTY value:
- if(data->state.aptr.user)
+ if(data->conn->user[0])
For GSSAPI curl's own documentation says:
`--negotiate` must be used with `-u :` to provide a fake user value [2].
So in the above command the user value is actually present as an empty
string, but the new condition disallows it.
Environment:
- curl version: 8.18.0/8.16.0/8.21.0-dev (aafbe08)
- OS: Windows 11
- MS Exchange server version: 15.02.1748.010
Exchange Server 2019 CU15 (2025H1)
Full output from cmd.exe for
- curl 8.16.0;
- curl 8.18.0;
- curl master 8.21.0-DEV (aafbe08);
in attachments.
[1]: https://github.com/curl/curl/commit/425a2aa1af0fec9ab41fcc1bcb316b623cebccc7#diff-4ec22d96a9836e267309f30184d45955c259020b0d69eca4553e665747eeac6fL284-L287
[2]: https://curl.se/docs/manpage.html#--negotiate
Thanks,
Alexandr Timofeev
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2026-05-19