-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth #1454
Conversation
@kdudka, thanks for your PR! By analyzing the history of the files in this pull request, we identified @bagder, @dfandrich and @yangtse to be potential reviewers. |
Hi, I'm not well familiar with socks authentication but from what I could find (RFC 1961 and our code) I think that the 'negotiate' terminology might not be appropriate for socks authentication. |
@Frenche Hi Isaac, thanks for review! Although I do not know the terminology myself, your suggestion about calling it GSS-API instead of Negotiate makes perfect sense to me. I prefer to use |
a5c9905
to
e5cdb56
Compare
Hi, the code changes look ok, however I wonder why the tool option is different from the library one, why can't we have --socks5-basic and --socks5-gssapi like we have --proxy-basic and --proxy-negotiate. |
The patch introduces both |
Currently, with HTTP and Proxy authentication, if no method has been specified it will use libcurl default (basic only), if one specifies --negotiate then it will be the only one allowed, if one specify more than one, like --negotiate --ntlm then both would be allowed. |
Good point. I will rework handling of the tool options. |
Sorry for being silent on this. I have been busy with my newly born daughter. I will resubmit this PR later this week... |
... to make it obvious what the data is used for
If libcurl was built with GSS-API support, it unconditionally advertised GSS-API authentication while connecting to a SOCKS5 proxy. This caused problems in environments with improperly configured Kerberos: a stock libcurl failed to connect, despite libcurl built without GSS-API connected fine using username and password. This commit introduces the CURLOPT_SOCKS5_AUTH option to control the allowed methods for SOCKS5 authentication at run time. Note that a new option was preferred over reusing CURLOPT_PROXYAUTH for compatibility reasons because the set of authentication methods allowed by default was different for HTTP and SOCKS5 proxies. Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html
@Frenche Hi, I have reworked the command-line options per your suggestion. The disadvantage of this approach is that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
On Jun 20, 2017 17:08, "Kamil Dudka" <notifications@github.com> wrote:
@Frenche <https://github.com/frenche> Hi, I have reworked the command-line
options per your suggestion. The disadvantage of this approach is that
--no-socks5-gssapi used on its own does nothing (similarly to --no-basic).
Right, but the new way is still better and more consistent.
If we'd want to solve that, I think we'd need to initially set libcurl
defaults in the tool and then apply user's methods. But that's I think too
much work, while the user can still currently achieve any desired auth
combination.
Congratulations on the birth of your daughter!
|
On Friday, June 23, 2017 00:30:21 Isaac Boukris wrote:
Right, but the new way is still better and more consistent.
If we'd want to solve that, I think we'd need to initially set libcurl
defaults in the tool and then apply user's methods. But that's I think too
much work, while the user can still currently achieve any desired auth
combination.
Thanks for review! I agree that it is now more consistent with the way that
curl handles HTTP authentication. I will merge it in a few days if nobody
else comments on this.
Congratulations on the birth of your daughter!
Thanks!
|
If libcurl was built with GSS-API support, it unconditionally advertised GSS-API authentication while connecting to a SOCKS5 proxy. This caused problems in environments with improperly configured Kerberos: a stock libcurl failed to connect, despite libcurl built without GSS-API connected fine using username and password.
This commit introduces the CURLOPT_SOCKS5_AUTH option to control the allowed methods for SOCKS5 authentication at run time.
Note that a new option was preferred over reusing CURLOPT_PROXYAUTH for compatibility reasons because the set of authentication methods allowed by default was different for HTTP and SOCKS5 proxies.
Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html