cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token

From: David Woodhouse <>
Date: Tue, 15 Jul 2014 21:55:42 -0000

> Am 2014-07-15 21:17, schrieb Daniel Stenberg:
>> On Tue, 15 Jul 2014, David Woodhouse wrote:
>>> Merged into git://,
>>> which now looks like this:
>> Thanks for working on this, David - I believe Michael has felt a bit
>> left on his own with regards to kerberos and Negotiate =). I would like
>> to merge your branch into master after Wednesday - unless you think any
>> particular of those fixes are critical.

I don't think it's critical. I note that when reverse DNS is screwed and
we end up obtaining a Kerberos ticket for the wrong host, we end up in an
infinite loop presenting it over and over again because we throw the
context away each time round the loop. But that bug has been there for
ever; having it present in one more release won't kill us.

> please do not rush. I like to test that stuff in a working corporate
> environment first. It should be a no-brainer after that.

FWIW I'm fairly happy with my testing of SPNEGO inder Windows and Linux,
watching it use IAKERB, KRB5 and NTLMSSP mechanisms as appropriate. I may
run some more tests on the farm of random *BSD/Solaris VMs that I keep for
OpenConnect twsting, but having gone through them fairly recently with
OpenConnect's GSSAPI support I'm fairly confident they'll be fine.

I'd suggest pulling my tree after the release; I've reverted it to the
point that Michael and I agree on (that use_spnego bool can be turned into
an enum later when NTLM support gets mixed in).

List admin:
Received on 2014-07-18