Hi Yang,

On Tue, 12 Jun 2012, Yang Tse wrote:

> SSPI is already present in libcurl's feature list when in use, so...
>
> Why do we need to show the security.dll or secur32.dll
> version in libcurl's version string, and additionally dress it up as
> WinSSPI?

There are two reasons for including Windows SSPI in the version information.

1) curl displays the SSL library in its version string and as such should
display something when SSL through Windows SSPI is enabled.

2) Windows SSPI can be thought of as the equivalent to OpenSSL or better
still GNUTLS as it is a provider of security related features and provides
libcurl with the following:

* SSL / TLS
* Security Context Information such as Negotiate, Kerberos and NTLM
* Obtaining the currently logged in Windows credentials - Single Sign On for
the want of a better name

From discussion with Daniel, and to a certain degree from your email of 23
April, I believe that the feature of SSPI as listed in curl's feature string
actually represents the SSO capability of Windows SSPI and not everything
that Windows SSPI provides (or at least it shouldn't represent all of SSPI
as otherwise you wouldn't display GSS-Negotiate and NTLM for example).

WinSSPI is a short friendly name, or package name if you like, for
security.dll / secur32.dll just as OpenSSL is the package name for
libssl32.dll and libeay32.dll. Originally, Mark had this as SChannel which
we decided wasn't a good name. Other names that were briefly talked about
were sspi, SSPI and WinSSPI - As such, WinSSPI seemed like the best choice
;-)

> These two are system libraries the same as all other
> system libs that might be used, such as kernel32,
> normaliz, wldap32 and ws2_32, for which we don't
> show any version info.

I guess there is a fine line between what package and version information
curl should show versus what it shouldn't and Windows muddies the water a
little by provided low level libraries such as ws2_32.dll (Winsock 2) and
other high level libraries that give the functionality of Windows SSPI or
implement the LDAP protocol. For example, if we wanted to show what third
party LDAP libraries curl might use, we could display OpenLDAP and Windows
LDAP (the later would probably want to show the version number from
wldap32.dll to be consistent), however, we don't want to show the
information for low level libraries such as ws2_32.dll.

> The user/developer has very little choice relative
> to which version is used.

This is very true... and I guess it would be similar to something like
OpenSSL being pre-installed as part of Solaris for example ;-) I admit
things are a little different in *nix land as other versions could be
downloaded using the package manager / installed by the user.

> Additionally showing that info introduces another
> library dependency which didn't exist up to now.

Again this is true and as you are aware, getting version information out of
a dll on Windows requires using version.dll - As this was introduced as a
system dll in Windows 2000 I don't have a problem with that or statically
linking against it. However, I've only been part of the development team for
the last 12 months, and don't have the wealth of experience that you do, so
don't know the full history of the product and demographic of users and the
variants of Windows that curl is used on - In that respect I honestly can't
say if that is an issue or not. If we decide it is an issue then I would
recommend that we bind to the dll dynamically thus allowing
Curl_sspi_vesion() to fail gracefully and display "WinSPPI/unknown" (as it
does now if any part of the function fails) or just "WinSSPI" if preferred.

> My opinion is to get rid of it, unless someone tells us why we badly need
it.

My own preference is to keep it because 1) It is in keeping with other
security providers in curl, 2) Like any of the version / package information
it is useful to know and 3) We need to display something in the SSL version
string so if we were to ditch it what would we display here?

Just my two pennies worth... Although that probably feels like two pound /
dollar / euro / sheep / any other currencies worth after reading ;-)

Steve

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-06-12