On Sun, Aug 03, 2014 at 08:53:55PM +0200, Michael Osipov wrote: > Am 2014-08-03 um 11:27 schrieb Dan Fandrich: > >On Sun, Aug 03, 2014 at 10:50:21AM +0200, Michael Osipov wrote: > >>Am 2014-08-03 um 10:27 schrieb Dan Fandrich: > >>>On Sat, Aug 02, 2014 at 02:18:29PM +0000, Michael Osipov wrote: > >>>>@@ -180,7 +180,8 @@ FOOTNOTES > >>>> *1 = requires OpenSSL, GnuTLS, NSS, yassl, axTLS, PolarSSL, WinSSL > >>>> (native > >>>> Windows), Secure Transport (native iOS/OS X) or qssl (native IBM > >>>> i) > >>>> *2 = requires OpenLDAP > >>>>- *3 = requires a GSSAPI-compliant library, such as Heimdal or similar > >>>>+ *3 = requires a GSS-API implementation, such as Heimdal, MIT Kerberos > >>>>or > >>>>+ SSPI (native Windows) > >>>> *4 = requires nghttp2 and possibly a recent TLS library > >>>> *5 = requires a krb4 library, such as the MIT one or similar > >>>> *6 = requires c-ares > >>> > >>>Minor nit on this oneāthis implies that SSPI provides a GSS-API > >>>implementation. > >>>This might be slightly clearer: > >>> > >>>+ *3 = requires a GSS-API implementation such as Heimdal or MIT Kerberos, > >>>or > >>>+ SSPI (native Windows) > >> > >>Infact, SSPI is a proprietary GSS-API implemenation but I do > >>understand what you are referring to. I have trouble phrasing this in > >>a unambigious way.
But if SSPI provides an GSS-API implementation, why doesn't ftp.c use it? If SSPI provides the same API as as MIT/Heimdal, there would be no reason to avoid using it there. Where is my understanding going wrong? > >>Is this better: requires a GSS-API implementation (Unix-like OS) such > >>as Heimdal or MIT Kerberos, or SSPI (native Windows) > >> > >>In general, those who know that SPNEGO is, will know the difference > >>between GSS-API and SSPI, IMHO. > >> > >>How would you rephrase that? > > > >I'm no expert on these differences, but I note that the Kerberos code for > >FTP, IMAP, POP3, SMTP is disabled if SSPI is in use. > > Except FTP none of those SASL-aware protocols use any GSS mechanism in curl. Ah, I see it now. Those protocols detect a GSS-API request but there's no actual code to perform it. > >If SSPI truly provided > >a GSS-API implementation, then I would expect this GSS-API code to be > >enabled. > >As *3 seems to conflate GSS-API and SPNEGO requirements, perhaps it should be > >split into two line items in the spirit of clarified documentation. > > What about: > > *3 = requires a GSS-API implementation (Heimdal, MIT Kerberos) or > SSPI (native Windows) This still isn't accurate in the case of FTP, since FTP won't support Kerberos with SSPI. >>> Dan ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
