cURL / Mailing Lists / curl-library / Single Mail


RE: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token

From: Steve Holme <>
Date: Sun, 13 Jul 2014 12:40:21 +0100

On Sun, 13 Jul 2014, David Woodhouse wrote:

> There's actually something to be said for ditching http_negotiate_sspi.c
> too, and letting Windows use http_negotiate.c. Let curl_gssapi.c and
> curl_sspi.c both present the *same* interface for a generic
> implementation of "WWW-Authenticate: Negotiate/Kerberos/NTLM"
> to use.

On a side note, we are currently missing support for the GSSAPI mechanism and Winbind NTLM implementation in the email protocols.

As such my goal is to try and move the authentication code that is in http_* and curl_ntlm_* into the fairly new sasl modules at some point this year and keep the http protocol specific bits in files such as http_negotiate.c - this will probably remove the need for http_negotitate_sspi.c for example.

Additionally, this will allow us to:

* Support both of these in the email protocols and any other protocols that can use authentication (For example I want to look at ldap in more detail afterwards)
* Simplify the NTLM code as both native and SSPI is intermingled making it difficult to follow
* Support third party sasl/authentication modules with relative ease

> (Yes, we can use GSSAPI for 'WWW-Authenticate: NTLM' on
> Linux too, as well as invoking the ntlm_auth helper or doing it>
> manually.)

I don't know much about the Linux side myself, but I believe we could also use the GSS-API library for all NTLM operations - including email ;-)

Kind Regards


List admin:
Received on 2014-07-13