curl / Mailing Lists / curl-library / Single Mail

curl-library

Negotiate/Kerberos - SPN - FQDN

From: H�lzl, Dominik <Dominik.Hoelzl_at_fabasoft.com>
Date: Wed, 22 Nov 2017 11:07:19 +0000

Hello!

I have a question about cURL and Negotiate/Kerberos authentication and the used SPN (server principal name) on Windows.

If the URL does not contain a canonical host name of the target server (just a simple non-FQDN-name like "http://myhost/path" or just an IP address), then the SPN generated by cURL which is passed to the windows API function "InitializeSecurityContext" is "HTTP/myhost" (or with IP address), but the documentation says that there should be passed a canonical host name, like "HTTP/myhost.mycompany.org" if possible.
When analyzing the source code of cURL I can only find paths through the code wich just take the host name from the URL and no name resolution takes place.
Google Chrome and Firefox explicitly pass a resolved FQDN host name in the SPN if available.

cURL:
The used host is either [connectdata]->host.name or [connectdata]->http_proxy.host.name which comes directly from the passed URL.

Google Chrome source code:
https://cs.chromium.org/chromium/src/net/http/http_auth_handler_negotiate.cc?type=cs&l=155

Firefox source code:
https://dxr.mozilla.org/mozilla-central/source/extensions/auth/nsAuthSSPI.cpp#228

Is there something missing in cURL?

Or do I have to resolve and replace the host name in the URL before passing it to cURL?

Regards,
Dominik

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-11-22

This message: [ Message body ]
Next message: Christian Schmitz: "SFTP problem with Windows and handshake."
Previous message: Daniel Stenberg: "Re: curl handles and multi thread"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]