Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token
Date: Fri, 11 Jul 2014 12:21:25 +0200
Am 2014-07-11 11:50, schrieb David Woodhouse:
> On Fri, 2014-07-11 at 11:24 +0200, Michael Osipov wrote:
>> That is absolutely true. This is an area which I want to improve in curl
>> mid-term. The reason for fbopenssl was probably some one did not hav a
>> capable GSS-API version.
> Probably. Although that's less of an excuse these days, since everyone
> *should* have a GSSAPI implementation that does SPNEGO by now.
Yes, but some stupid vendors are still lacking. HP is too stupid to
update their packaged GSS-API version. They ship 1.3.5 and supply
security patches on top. Horribly old and broken. But I have managed to
compile the latest MIT Kerberos on HP-UX with great success. It works
flawlessly with curl. For those in need, I am willing to help to make it
run on HP-UX. Patch has been submitted already.
>> I waiting for this patch to be merged and then
>> I could adapt configure.ac and patch the source code in a way were FTP
>> and SOCKS use KRB5_MECHANISM and HTTP uses SPNEGO_MECHANISM.
> I firmly believe that the way forward here is to rip out the FBOpenSSL
> bit altogether. I'm working on that now; to quote the commit message
> from http://git.infradead.org/users/dwmw2/curl.git/commitdiff/d7bb1f66
Yes, that is way better. My patch was intended as intermediate only.
Your approach resembles mine. Rip out fbopenssl and make it use GSS-API
Your patch looks good but not complete, right? I would like to follow
your improvements, make comments what can done even better. What I had
in mind additionally to have '--kerberos' react on 'WWW-Authenticate:
More over, I can test the entire stuff on three Unix OSes against
GSS-API, SSPI, and JGSS. So, a very good test coverage should be
achieved. Servers on FreeBSD, Windows Servers, HP-UX and HTTP proxy on
If Daniel and/or someone else is willing to merge your patches, my two
patches should be halted and discarded when you provide yours.
List admin: http://cool.haxx.se/list/listinfo/curl-library
Received on 2014-07-11