Am 2014-07-11 11:50, schrieb David Woodhouse:
On Fri, 2014-07-11 at 11:24 +0200, Michael Osipov wrote:
That is absolutely true. This is an area which I want to improve in curl
mid-term. The reason for fbopenssl was probably some one did not hav a
capable GSS-API version.
Probably. Although that's less of an excuse these days, since everyone
*should* have a GSSAPI implementation that does SPNEGO by now.
Yes, but some stupid vendors are still lacking. HP is too stupid to
update their packaged GSS-API version. They ship 1.3.5 and supply
security patches on top. Horribly old and broken. But I have managed to
compile the latest MIT Kerberos on HP-UX with great success. It works
flawlessly with curl. For those in need, I am willing to help to make it
run on HP-UX. Patch has been submitted already.
I waiting for this patch to be merged and then
I could adapt configure.ac and patch the source code in a way were FTP
and SOCKS use KRB5_MECHANISM and HTTP uses SPNEGO_MECHANISM.
I firmly believe that the way forward here is to rip out the FBOpenSSL
bit altogether. I'm working on that now; to quote the commit message
from http://git.infradead.org/users/dwmw2/curl.git/commitdiff/d7bb1f66
[...]
Yes, that is way better. My patch was intended as intermediate only.
Your approach resembles mine. Rip out fbopenssl and make it use GSS-API
only.
Your patch looks good but not complete, right? I would like to follow
your improvements, make comments what can done even better. What I had
in mind additionally to have '--kerberos' react on 'WWW-Authenticate:
Kerberos' too.
More over, I can test the entire stuff on three Unix OSes against
GSS-API, SSPI, and JGSS. So, a very good test coverage should be
achieved. Servers on FreeBSD, Windows Servers, HP-UX and HTTP proxy on
Windows Server.
If Daniel and/or someone else is willing to merge your patches, my two
patches should be halted and discarded when you provide yours.
Michael
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
