> Gesendet: Mittwoch, 28. Mai 2014 um 11:29 Uhr > Von: "Yehezkel Horowitz" <horow...@checkpoint.com> > An: "libcurl development" <curl-library@cool.haxx.se> > Betreff: RE: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token > instead of SPNEGO token > > >> I'm sorry but this is not my expert area. SPNEGO and Negotiate aren't > >> the same things, are they? Can't you do Negotiate that isn't SPNEGO? > > Technically, they are but different names for problem areas. > >... > > Further improvement will come here too from me. Clean up code and docs. > > There are servers that enforce you to use SPNEGO API which is implemented in > fbopenssl, but most of servers will just accept Kerberos authentication for > which you should use krb5 library (which also has GSS-API implementation for > Kerberos authentication). > > I learned this by removing the SPNEGO support during configure phase of > libcurl (as I thought this is very old API and no one use it anymore) and > after that I got complains about servers that couldn't be connected > (authenticated) with my library...
If a server requests Negotiate, it expects a SPNEGO token as per RFC 4178, if the server expects something else, that is custom. If your server requires Kerberos only, it should so advertise WWW-Authenticate: Kerberos. This is what Microsoft IIS and TMG (proxy) do. To implement that correctly, curl should implement both. > >> After all, I thought the fbopenssl was almost extinct and I guess not > >> many more than a handful of users ever built curl with it. > > Count me in this list of users (at least till no server will enforce SPNEGO). > > >Unfortunately, I have because there is no other way. I am working on > >improving libcurl to use GSS-API directly and then we can burry fbopenssl > >once and for all. > > AFAIK, GSS-API is implemented in krb5 library and libcurl use this API (and > not Kerberos API), but for servers who enforce support of SPNEGO - you must > use SPNEGO API (which the only open-source implementation I know is > fbopenssl). > > BTW - what is the problem you are coming to fix? Add --with-native-spnego and move --with-spnego to --with-fbopenssl-spnego. Most GSS-API now support SPNEGO out of the box, I want to implement that in libcurl finally. For those, wo don', can still compile wih fbopenssl, e.g. me here on HP-UX and stoneage MIT Kerberos. Michael ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
