cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token

From: Michael Osipov <1983-01-06_at_gmx.net>
Date: Fri, 11 Jul 2014 12:21:25 +0200

Am 2014-07-11 11:50, schrieb David Woodhouse:
> On Fri, 2014-07-11 at 11:24 +0200, Michael Osipov wrote:
>>
>> That is absolutely true. This is an area which I want to improve in curl
>> mid-term. The reason for fbopenssl was probably some one did not hav a
>> capable GSS-API version.
>
> Probably. Although that's less of an excuse these days, since everyone
> *should* have a GSSAPI implementation that does SPNEGO by now.

Yes, but some stupid vendors are still lacking. HP is too stupid to
update their packaged GSS-API version. They ship 1.3.5 and supply
security patches on top. Horribly old and broken. But I have managed to
compile the latest MIT Kerberos on HP-UX with great success. It works
flawlessly with curl. For those in need, I am willing to help to make it
run on HP-UX. Patch has been submitted already.

>> I waiting for this patch to be merged and then
>> I could adapt configure.ac and patch the source code in a way were FTP
>> and SOCKS use KRB5_MECHANISM and HTTP uses SPNEGO_MECHANISM.
>
> I firmly believe that the way forward here is to rip out the FBOpenSSL
> bit altogether. I'm working on that now; to quote the commit message
> from http://git.infradead.org/users/dwmw2/curl.git/commitdiff/d7bb1f66
> [...]

Yes, that is way better. My patch was intended as intermediate only.
Your approach resembles mine. Rip out fbopenssl and make it use GSS-API
only.

Your patch looks good but not complete, right? I would like to follow
your improvements, make comments what can done even better. What I had
in mind additionally to have '--kerberos' react on 'WWW-Authenticate:
Kerberos' too.

More over, I can test the entire stuff on three Unix OSes against
GSS-API, SSPI, and JGSS. So, a very good test coverage should be
achieved. Servers on FreeBSD, Windows Servers, HP-UX and HTTP proxy on
Windows Server.

If Daniel and/or someone else is willing to merge your patches, my two
patches should be halted and discarded when you provide yours.

Michael
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-11

This message: [ Message body ]
Next message: David Woodhouse: "[PATCH 1/2] ntlm_wb: Fix hard-coded limit on NTLM auth packet size"
Previous message: Michael Osipov: "Re: problem using NTLM authentication with default OS credentials"
In reply to: David Woodhouse: "Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token"
Next in thread: David Woodhouse: "Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token"
Reply: David Woodhouse: "Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]