Closed
Description
I did this
Ensure there is not any valid krb5 ticket
sh-5.0# klist -l
Principal name Cache name
-------------- ----------
Try to use gssapi authentication for some site.
It will obviously fail but it should continue with basic auth
sh-5.0# curl -v --negotiate -u : -k https://kvm-guest.example.com/application/login
* Trying 10.37.153.81...
* TCP_NODELAY set
* Connected to kvm-guest.example.com (10.37.153.81) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; O=Unspecified; CN=kvm-guest.example.com; emailAddress=root@kvm-guest.example.com
* start date: Apr 3 14:59:21 2019 GMT
* expire date: Apr 7 16:39:21 2020 GMT
* issuer: C=US; O=Unspecified; OU=ca-64193668093928912; CN=kvm-guest.example.com; emailAddress=root@kvm-guest.example.com
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* gss_init_sec_context() failed: SPNEGO cannot find mechanisms to negotiate.
* Connection #0 to host kvm-guest.example.com left intact
curl: (27) Out of memory
* Closing connection 0
I expected the following
sh-5.0# curl -v --negotiate -u : -k https://kvm-02-guest07.rhts.eng.brq.redhat.com/application/login
* Trying 10.37.153.81...
* TCP_NODELAY set
* Connected to kvm-02-guest07.rhts.eng.brq.redhat.com (10.37.153.81) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; O=Unspecified; CN=kvm-02-guest07.rhts.eng.brq.redhat.com; emailAddress=root@kvm-02-guest07.rhts.eng.brq.redhat.com
* start date: Apr 3 14:59:21 2019 GMT
* expire date: Apr 7 16:39:21 2020 GMT
* issuer: C=US; O=Unspecified; OU=ca-64193668093928912; CN=kvm-02-guest07.rhts.eng.brq.redhat.com; emailAddress=root@kvm-02-guest07.rhts.eng.brq.redhat.com
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /application/login HTTP/1.1
> Host: kvm-02-guest07.rhts.eng.brq.redhat.com
> User-Agent: curl/7.64.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 401 Unauthorized
< Date: Wed, 03 Apr 2019 21:28:08 GMT
< Server: Apache/2.4.38 (Fedora) OpenSSL/1.1.1b mod_auth_gssapi/1.6.1
* gss_init_sec_context() failed: SPNEGO cannot find mechanisms to negotiate.
< WWW-Authenticate: Negotiate
< Content-Length: 127
< Content-Type: text/html; charset=iso-8859-1
<
* Connection #0 to host kvm-02-guest07.rhts.eng.brq.redhat.com left intact
<html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>sh-5.0#
curl/libcurl version
sh-5.0# curl -V
curl 7.64.1 (x86_64-redhat-linux-gnu) libcurl/7.64.1 OpenSSL/1.1.1b zlib/1.2.11 brotli/1.0.7 libidn2/2.1.1 libpsl/0.20.2 (+libidn2/2.0.5) libssh/0.8.7/openssl/zlib nghttp2/1.37.0
Release-Date: 2019-03-27
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
operating system
sh-5.0# rpm -q curl
curl-7.64.1-1.fc31.x86_64
sh-5.0# cat /etc/os-release
NAME=Fedora
VERSION="31 (Rawhide)"
ID=fedora
VERSION_ID=31
VERSION_CODENAME=""
PLATFORM_ID="platform:f31"
PRETTY_NAME="Fedora 31 (Rawhide)"
ANSI_COLOR="0;34"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:31"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=rawhide
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=rawhide
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"