Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
http_negotiate: do not close connection until negotiation is completed #3275
Aim of this PR is to fix the HTTP POST using CURLAUTH_NEGOTIATE.
When connecting to an HTTP URL through a proxy that accepts Negotiation based authorization, libcURL fails to login to the proxy. The Negotiate protocol requires two round trips with the proxy. During the first one the client provides the Negotiate flags and the proxy answers with a Negotiate challenge, returning also HTTP 407. In the second round trip, the client provides the answer to the challenge and, if the proxy accepts it, it returns HTTP 200.
The change is aimed at setting authstatus->done to true only if the client thinks it is at the last stage of its negotiation, to prevent libcURL from closing the socket while the negotiation is still ongoing. The negotiation can be considered as complete when the final status of the SPNEGO decoding is a completion status (GSS_S_COMPLETE for GSSAPI and SEC_E_OK for SSPI).
This change broke
I have not had enough time to properly analyze what happened. Just sharing the information we have at this point...
Yes, Fedora uses Kerberos to authenticate users at certain services. Some basic info about their use of Kerberos is available here:
Sorry, I have not been able to look at this closer yet.