cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token

From: David Woodhouse <>
Date: Tue, 15 Jul 2014 21:32:37 -0000

>> David Woodhouse (8):
>> ntlm_wb: Fix hard-coded limit on NTLM auth packet size
>> ntlm_wb: Avoid invoking ntlm_auth helper with empty username
> I do not think that this belongs in this patchset because it is
> completely unrelated.

It all falls under the heading of making curl work in the corporate
environment. Kerberos is fragile and we often have to fall back to NTLM.
That's both NTLM in SPNEGO *and* plain 'WWW-Authenticate: NTLM'. It all
needs to work.

>> Support WWW-Authenticate: Kerberos in place of defunct
>> GSS-Negotiate
> I am not convinced by that patch. I assumed you had the same intentions
> as me with the entire chain, --kerberos over CURLAUTH_KERBEROS and so
> forth. You mix two mechanisms within one code block, spite the same
> flow, you cannot on/off any of them separately not do people really know
> that curl will do that.

Yeah, fair enough. I hate the way that curl doesn't automatically
authenticate when it knows how, so I forget about those extra bits.

I'll drop that from my tree and revert to
commit d850e9b9 which you can use as a base for further work.

List admin:
Received on 2014-07-18