On Wed, 2011-08-24 at 05:52 -0400, Bert Huijben wrote: > Then somebody added Kerberos support to neon, but the api wasn't > updated to allow different behavior for the specific implementations.
Kerberos via HTTP negotiate is also insecure when not used over HTTPS. In HTTP negotiate, the GSSAPI mechanism (Kerberos) isn't used to protect the data stream, only to authenticate. So you still need a secure channel. (Also, negotiate auth does no channel binding, which means Kerberos provides no additional protection against MITM attacks on the TLS channel. That just means it's still important for the client to verify the server cert. I've heard that Microsoft has some extensions to RFC 4559 to do channel binding, but I don't know any details and Neon almost certainly doesn't have any support for it.)
