curl / Mailing Lists / curl-library / Single Mail


Negotiate/Kerberos - SPN - FQDN

From: Hölzl, Dominik <>
Date: Wed, 22 Nov 2017 11:07:19 +0000


I have a question about cURL and Negotiate/Kerberos authentication and the used SPN (server principal name) on Windows.

If the URL does not contain a canonical host name of the target server (just a simple non-FQDN-name like "http://myhost/path" or just an IP address), then the SPN generated by cURL which is passed to the windows API function "InitializeSecurityContext" is "HTTP/myhost" (or with IP address), but the documentation says that there should be passed a canonical host name, like "HTTP/" if possible.
When analyzing the source code of cURL I can only find paths through the code wich just take the host name from the URL and no name resolution takes place.
Google Chrome and Firefox explicitly pass a resolved FQDN host name in the SPN if available.

The used host is either [connectdata]-> or [connectdata]-> which comes directly from the passed URL.

Google Chrome source code:

Firefox source code:

Is there something missing in cURL?

Or do I have to resolve and replace the host name in the URL before passing it to cURL?


Received on 2017-11-22