cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token

From: Michael Osipov <>
Date: Sun, 13 Jul 2014 20:01:21 +0200

Am 2014-07-13 13:40, schrieb Steve Holme:
> On Sun, 13 Jul 2014, David Woodhouse wrote:
>> There's actually something to be said for ditching
>> http_negotiate_sspi.c too, and letting Windows use
>> http_negotiate.c. Let curl_gssapi.c and curl_sspi.c both present
>> the *same* interface for a generic implementation of
>> "WWW-Authenticate: Negotiate/Kerberos/NTLM" to use.
> On a side note, we are currently missing support for the GSSAPI
> mechanism and Winbind NTLM implementation in the email protocols.

Are you implementing SASL your self for curl or do you use CyrusSASL?
I know that Windows has a native SASL impl but that seems to be
available on Windows Server only.

> As such my goal is to try and move the authentication code that is in
> http_* and curl_ntlm_* into the fairly new sasl modules at some point
> this year and keep the http protocol specific bits in files such as
> http_negotiate.c - this will probably remove the need for
> http_negotitate_sspi.c for example.
> Additionally, this will allow us to:
> * Support both of these in the email protocols and any other
> protocols that can use authentication (For example I want to look at
> ldap in more detail afterwards) * Simplify the NTLM code as both
> native and SSPI is intermingled making it difficult to follow *
> Support third party sasl/authentication modules with relative ease

More than that. I could be completely decoupled from HTTP and used for
any GSS/SSPI-based service, like HTTP, FTP, SMTP, IMAP, etc. The low-end
impl is always the same.


List admin:
Received on 2014-07-13