Re: How to set service name for SPNEGO?
On 04/06/2015 05:26 PM, Linus Nielsen wrote: On 04/04/2015 12:51 AM, Daniel Stenberg wrote: Thanks! I'm fine with the change and as there's at least one user saying it looks fine I'm happy. I have no way of testing this myself. The changes seems totally benign to me. One thing worries me a little, the CURLOPT_PROXY_SERVICE_NAME option. The default is rcmd, since it was a socks5-only option. If I use this option for the Kerberos/SPNEGO/Digest proxy negotiation, the default name will be incorrect. We can probably fix this in the curl tool, but libcurl applications will stop working unless they set CURLOPT_PROXY_SERVICE_NAME to HTTP when connecting to a Kerberos/SPNEGO/Digest proxy. The current patch does not use CURLOPT_PROXY_SERVICE_NAME for Kerberos/SPNEGO/Digest proxies (hardcoded to HTTP), but that seems wrong as well. The whole point of replacing CURLOPT_SOCKS5_GSSAPI_SERVICE was to have one option for all mechanisms, but that will break one or the other. Perhaps I should take a step back and keep the CURLOPT_SOCKS5_GSSAPI_SERVICE option as-is, and add the CURLOPT_PROXY_SERVICE_NAME for all other mechanisms. Thoughts? Linus In lack of feedback, I decided to take that backwards step and not deprecate CURLOPT_SOCKS5_GSSAPI_SERVICE. Here is a new patch. Linus From 1a4b677f1a9a44f64300643843092252cc34c3e2 Mon Sep 17 00:00:00 2001 From: Linus Nielsen li...@haxx.se Date: Sun, 29 Mar 2015 14:52:31 +0200 Subject: [PATCH] Add the possibility the set the service name for SPNEGO negotiation. * Add new options, CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME. * Add new curl options, --proxy-service-name and --service-name. --- docs/curl.1| 10 ++ docs/libcurl/curl_easy_setopt.3| 4 +++ docs/libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3 | 46 ++ docs/libcurl/opts/CURLOPT_SERVICE_NAME.3 | 46 ++ docs/libcurl/symbols-in-versions | 2 ++ include/curl/curl.h| 6 include/curl/typecheck-gcc.h | 2 ++ lib/http_negotiate.c | 6 ++-- lib/http_negotiate_sspi.c | 7 ++-- lib/url.c | 29 lib/url.h | 3 ++ lib/urldata.h | 2 ++ packages/OS400/ccsidcurl.c | 2 ++ src/tool_cfgable.c | 2 ++ src/tool_cfgable.h | 4 +++ src/tool_getparam.c| 8 + src/tool_operate.c | 11 ++ 17 files changed, 185 insertions(+), 5 deletions(-) create mode 100644 docs/libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3 create mode 100644 docs/libcurl/opts/CURLOPT_SERVICE_NAME.3 diff --git a/docs/curl.1 b/docs/curl.1 index 908f648..7cc4b74 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -1326,6 +1326,11 @@ with a remote host. (Added in 7.17.1) .IP --proxy-ntlm Tells curl to use HTTP NTLM authentication when communicating with the given proxy. Use \fI--ntlm\fP for enabling NTLM with a remote host. +.IP --proxy-service-name servicename +This option allows you to change the service name for proxy negotiation. + +Examples: --proxy-negotiate proxy-name \fI--proxy-service-name\fP sockd would use +sockd/proxy-name. (Added in 7.42.0). .IP --proxy1.0 proxyhost[:port] Use the specified HTTP 1.0 proxy. If the port number is not specified, it is assumed at port 1080. @@ -1507,6 +1512,11 @@ terminal/stdout unless you redirect it. .IP --sasl-ir Enable initial response in SASL authentication. (Added in 7.31.0) +.IP --service-name servicename +This option allows you to change the service name for SPNEGO. + +Examples: --negotiate \fI--service-name\fP sockd would use +sockd/server-name. (Added in 7.42.0). .IP -S, --show-error When used with \fI-s\fP it makes curl show an error message if it fails. .IP --ssl diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 712dae9..4e5b8de 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -165,6 +165,10 @@ Tunnel through the HTTP proxy. \fICURLOPT_HTTPPROXYTUNNEL(3)\fP Socks5 GSSAPI service name. \fICURLOPT_SOCKS5_GSSAPI_SERVICE(3)\fP .IP CURLOPT_SOCKS5_GSSAPI_NEC Socks5 GSSAPI NEC mode. See \fICURLOPT_SOCKS5_GSSAPI_NEC(3)\fP +.IP CURLOPT_PROXY_SERVICE_NAME +Proxy service name. \fICURLOPT_PROXY_SERVICE_NAME(3)\fP +.IP CURLOPT_SERVICE_NAME +SPNEGO service name. \fICURLOPT_SERVICE_NAME(3)\fP .IP CURLOPT_INTERFACE Bind connection locally to this. See \fICURLOPT_INTERFACE(3)\fP .IP CURLOPT_LOCALPORT diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3 b/docs/libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3 new file mode 100644 index 000..abdfad5 --- /dev/null +++ b/docs/libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3 @@ -0,0 +1,46 @@ +.\
Re: How to set service name for SPNEGO?
Linus, thanks a lot! The change to STRING_SERVICE_NAME part looks great. I am looking forward to seeing this in. Best regards, Wenlong On Fri, Apr 17, 2015 at 5:46 AM, Linus Nielsen li...@haxx.se wrote: On 04/06/2015 05:26 PM, Linus Nielsen wrote: On 04/04/2015 12:51 AM, Daniel Stenberg wrote: Thanks! I'm fine with the change and as there's at least one user saying it looks fine I'm happy. I have no way of testing this myself. The changes seems totally benign to me. One thing worries me a little, the CURLOPT_PROXY_SERVICE_NAME option. The default is rcmd, since it was a socks5-only option. If I use this option for the Kerberos/SPNEGO/Digest proxy negotiation, the default name will be incorrect. We can probably fix this in the curl tool, but libcurl applications will stop working unless they set CURLOPT_PROXY_SERVICE_NAME to HTTP when connecting to a Kerberos/SPNEGO/Digest proxy. The current patch does not use CURLOPT_PROXY_SERVICE_NAME for Kerberos/SPNEGO/Digest proxies (hardcoded to HTTP), but that seems wrong as well. The whole point of replacing CURLOPT_SOCKS5_GSSAPI_SERVICE was to have one option for all mechanisms, but that will break one or the other. Perhaps I should take a step back and keep the CURLOPT_SOCKS5_GSSAPI_SERVICE option as-is, and add the CURLOPT_PROXY_SERVICE_NAME for all other mechanisms. Thoughts? Linus In lack of feedback, I decided to take that backwards step and not deprecate CURLOPT_SOCKS5_GSSAPI_SERVICE. Here is a new patch. Linus --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: How to set service name for SPNEGO?
On 04/04/2015 12:51 AM, Daniel Stenberg wrote: Thanks! I'm fine with the change and as there's at least one user saying it looks fine I'm happy. I have no way of testing this myself. The changes seems totally benign to me. One thing worries me a little, the CURLOPT_PROXY_SERVICE_NAME option. The default is rcmd, since it was a socks5-only option. If I use this option for the Kerberos/SPNEGO/Digest proxy negotiation, the default name will be incorrect. We can probably fix this in the curl tool, but libcurl applications will stop working unless they set CURLOPT_PROXY_SERVICE_NAME to HTTP when connecting to a Kerberos/SPNEGO/Digest proxy. The current patch does not use CURLOPT_PROXY_SERVICE_NAME for Kerberos/SPNEGO/Digest proxies (hardcoded to HTTP), but that seems wrong as well. The whole point of replacing CURLOPT_SOCKS5_GSSAPI_SERVICE was to have one option for all mechanisms, but that will break one or the other. Perhaps I should take a step back and keep the CURLOPT_SOCKS5_GSSAPI_SERVICE option as-is, and add the CURLOPT_PROXY_SERVICE_NAME for all other mechanisms. Thoughts? Linus --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: How to set service name for SPNEGO?
On Wed, 1 Apr 2015, Linus Nielsen wrote: Good catch. It is. Use the attached patch instead. It should be applied to the latest git master. Thanks! I'm fine with the change and as there's at least one user saying it looks fine I'm happy. I have no way of testing this myself. The changes seems totally benign to me. Two nits: 1 - There are no documentation updates included. 2 - docs/libcurl/symbols-in-versions needs an update as well, as otherwise test 1119 will fail For good measure let me throw in an extra litte thing too: please consider doing a full git commit and then get the patch with git format-patch to make it an even smoother process. -- / daniel.haxx.se --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: How to set service name for SPNEGO?
On 04/01/2015 05:51 AM, Wenlong Dong wrote: Linus, thanks a lot for making the change! The change overall looks great to me. I was not able to patch it locally somehow (not sure whether I have to find the exact commit to sync to) and here are some minor comments: *) lib/http_negotiate.c: /+char *spn = Curl_sasl_build_gssapi_spn(/ /+ proxy ? HTTP : data-set.str[STRING_SERVICE_NAME],/ /+ proxy ? conn-proxy.name http://proxy.name : conn-host.name http://host.name);/ *Q1: Could data-set.str[STRING_SERVICE_NAME] be null or is it defaulted to http when it's not set (from lib/url.c)?* The default should be HTTP, look at CURL_DEFAULT_SERVICE_NAME below. *Q2: When proxy is true, should you use data-set.str[STRING_PROXY_SERVICE_NAME] instead of HTTP?* I was a little bit hesitant about that, since PROXY_SERVICE_NAME defaults to rcmd at the moment, since it replaces the SOCKS5_GSSAPI_SERVICE option. Maybe replacing it wasn't such a good idea after all. /+neg_ctx-server_name =/ /+ Curl_sasl_build_spn(proxy ? HTTP : data-set.str[STRING_SERVICE_NAME],/ /+ proxy ? conn-proxy.name http://proxy.name : conn-host.name http://host.name);/ *Q3: Same questions as above.* *) lib/url.h /+#define CURL_DEFAULT_SERVICE_NAME http /* default negotiate service *// *Q4: Is the service name case sensitive? If it is, should it be HTTP?* Good catch. It is. Use the attached patch instead. It should be applied to the latest git master. Linus diff --git a/include/curl/curl.h b/include/curl/curl.h index ae1b0e4..e3b8b5c 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1439,7 +1439,7 @@ typedef enum { /* block size for TFTP transfers */ CINIT(TFTP_BLKSIZE, LONG, 178), - /* Socks Service */ + /* Socks Service (deprecated) */ CINIT(SOCKS5_GSSAPI_SERVICE, OBJECTPOINT, 179), /* Socks Service */ @@ -1632,6 +1632,12 @@ typedef enum { /* Do not squash dot-dot sequences */ CINIT(PATH_AS_IS, LONG, 234), + /* Proxy Service Name */ + CINIT(PROXY_SERVICE_NAME, OBJECTPOINT, 235), + + /* Service Name */ + CINIT(SERVICE_NAME, OBJECTPOINT, 236), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h index 69d41a2..13fb0fa 100644 --- a/include/curl/typecheck-gcc.h +++ b/include/curl/typecheck-gcc.h @@ -270,6 +270,8 @@ _CURL_WARNING(_curl_easy_getinfo_err_curl_slist, (option) == CURLOPT_DNS_LOCAL_IP4 || \ (option) == CURLOPT_DNS_LOCAL_IP6 || \ (option) == CURLOPT_LOGIN_OPTIONS || \ + (option) == CURLOPT_PROXY_SERVICE_NAME || \ + (option) == CURLOPT_SERVICE_NAME ||\ 0) /* evaluates to true if option takes a curl_write_callback argument */ diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 21658cf..b8bf89f 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -62,8 +62,9 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, if(!neg_ctx-server_name) { /* Generate our SPN */ -char *spn = Curl_sasl_build_gssapi_spn(HTTP, proxy ? conn-proxy.name : - conn-host.name); +char *spn = Curl_sasl_build_gssapi_spn( + proxy ? HTTP : data-set.str[STRING_SERVICE_NAME], + proxy ? conn-proxy.name : conn-host.name); if(!spn) return CURLE_OUT_OF_MEMORY; diff --git a/lib/http_negotiate_sspi.c b/lib/http_negotiate_sspi.c index 20f8d64..5347b54 100644 --- a/lib/http_negotiate_sspi.c +++ b/lib/http_negotiate_sspi.c @@ -93,9 +93,9 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, return CURLE_BAD_FUNCTION_ARGUMENT; /* Generate our SPN */ -neg_ctx-server_name = Curl_sasl_build_spn(HTTP, -proxy ? conn-proxy.name : -conn-host.name); +neg_ctx-server_name = + Curl_sasl_build_spn(proxy ? HTTP : data-set.str[STRING_SERVICE_NAME], + proxy ? conn-proxy.name : conn-host.name); if(!neg_ctx-server_name) return CURLE_OUT_OF_MEMORY; } diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c index 8e575c2..43ae4da 100644 --- a/lib/socks_gssapi.c +++ b/lib/socks_gssapi.c @@ -120,7 +120,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex, unsigned short us_length; char *user=NULL; unsigned char socksreq[4]; /* room for GSS-API exchange header only */ - char *serviceptr = data-set.str[STRING_SOCKS5_GSSAPI_SERVICE]; + char *serviceptr = data-set.str[STRING_PROXY_SERVICE_NAME]; /* GSS-API request looks like * ++--+-++ diff --git a/lib/socks_sspi.c b/lib/socks_sspi.c index a7708b2..c9499c9 100644 --- a/lib/socks_sspi.c
Re: How to set service name for SPNEGO?
Linus, thanks a lot for making the change! The change overall looks great to me. I was not able to patch it locally somehow (not sure whether I have to find the exact commit to sync to) and here are some minor comments: *) lib/http_negotiate.c: *+char *spn = Curl_sasl_build_gssapi_spn(* *+ proxy ? HTTP : data-set.str[STRING_SERVICE_NAME],* *+ proxy ? conn-proxy.name http://proxy.name : conn-host.name http://host.name);* *Q1: Could data-set.str[STRING_SERVICE_NAME] be null or is it defaulted to http when it's not set (from lib/url.c)?* *Q2: When proxy is true, should you use data-set.str[STRING_PROXY_SERVICE_NAME] instead of HTTP?* *+neg_ctx-server_name =* *+ Curl_sasl_build_spn(proxy ? HTTP : data-set.str[STRING_SERVICE_NAME],* *+ proxy ? conn-proxy.name http://proxy.name : conn-host.name http://host.name);* *Q3: Same questions as above.* *) lib/url.h *+#define CURL_DEFAULT_SERVICE_NAME http /* default negotiate service */* *Q4: Is the service name case sensitive? If it is, should it be HTTP?* I will try to patch it locally and verify it. Best regards, Wenlong On Mon, Mar 30, 2015 at 5:18 AM, Linus Nielsen li...@haxx.se wrote: On 02/19/2015 12:11 AM, Steve Holme wrote: Some more random thoughts from me this evening... I wouldn't recommend replacing CURLOPT_SOCKS5_GSSAPI_SERVICE with CURLOPT_SERVICE_NAME as Socks 5 is used as a proxy and a curl user / libcurl programmer might want to set both the proxy and the protocol service name. As such I would recommend something like: * libcurl - replace CURLOPT_SOCKS5_GSSAPI_SERVICE with CURLOPT_PROXY_SERVICE_NAME as it can then be used for HTTP proxy with Kerberos/SPNEGO/Digest and keep CURLOPT_SOCKS5_GSSAPI_SERVICE for backwards API compatibility * libcurl - add CURLOPT_SERVICE_NAME as new value * curl - replace --socks5-gssapi-service with --proxy-service-name and add --socks5-gssapi-service as an alias * curl - add support for --service-name as a new argument I have picked up the baton to try to make this happen. Please have a look at the attached patch and see if it would work. Regards, Linus --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: How to set service name for SPNEGO?
On 02/19/2015 12:11 AM, Steve Holme wrote: Some more random thoughts from me this evening... I wouldn't recommend replacing CURLOPT_SOCKS5_GSSAPI_SERVICE with CURLOPT_SERVICE_NAME as Socks 5 is used as a proxy and a curl user / libcurl programmer might want to set both the proxy and the protocol service name. As such I would recommend something like: * libcurl - replace CURLOPT_SOCKS5_GSSAPI_SERVICE with CURLOPT_PROXY_SERVICE_NAME as it can then be used for HTTP proxy with Kerberos/SPNEGO/Digest and keep CURLOPT_SOCKS5_GSSAPI_SERVICE for backwards API compatibility * libcurl - add CURLOPT_SERVICE_NAME as new value * curl - replace --socks5-gssapi-service with --proxy-service-name and add --socks5-gssapi-service as an alias * curl - add support for --service-name as a new argument I have picked up the baton to try to make this happen. Please have a look at the attached patch and see if it would work. Regards, Linus diff --git a/include/curl/curl.h b/include/curl/curl.h index ae1b0e4..e3b8b5c 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1439,7 +1439,7 @@ typedef enum { /* block size for TFTP transfers */ CINIT(TFTP_BLKSIZE, LONG, 178), - /* Socks Service */ + /* Socks Service (deprecated) */ CINIT(SOCKS5_GSSAPI_SERVICE, OBJECTPOINT, 179), /* Socks Service */ @@ -1632,6 +1632,12 @@ typedef enum { /* Do not squash dot-dot sequences */ CINIT(PATH_AS_IS, LONG, 234), + /* Proxy Service Name */ + CINIT(PROXY_SERVICE_NAME, OBJECTPOINT, 235), + + /* Service Name */ + CINIT(SERVICE_NAME, OBJECTPOINT, 236), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h index 69d41a2..13fb0fa 100644 --- a/include/curl/typecheck-gcc.h +++ b/include/curl/typecheck-gcc.h @@ -270,6 +270,8 @@ _CURL_WARNING(_curl_easy_getinfo_err_curl_slist, (option) == CURLOPT_DNS_LOCAL_IP4 || \ (option) == CURLOPT_DNS_LOCAL_IP6 || \ (option) == CURLOPT_LOGIN_OPTIONS || \ + (option) == CURLOPT_PROXY_SERVICE_NAME || \ + (option) == CURLOPT_SERVICE_NAME ||\ 0) /* evaluates to true if option takes a curl_write_callback argument */ diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 21658cf..b8bf89f 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -62,8 +62,9 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, if(!neg_ctx-server_name) { /* Generate our SPN */ -char *spn = Curl_sasl_build_gssapi_spn(HTTP, proxy ? conn-proxy.name : - conn-host.name); +char *spn = Curl_sasl_build_gssapi_spn( + proxy ? HTTP : data-set.str[STRING_SERVICE_NAME], + proxy ? conn-proxy.name : conn-host.name); if(!spn) return CURLE_OUT_OF_MEMORY; diff --git a/lib/http_negotiate_sspi.c b/lib/http_negotiate_sspi.c index 20f8d64..5347b54 100644 --- a/lib/http_negotiate_sspi.c +++ b/lib/http_negotiate_sspi.c @@ -93,9 +93,9 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, return CURLE_BAD_FUNCTION_ARGUMENT; /* Generate our SPN */ -neg_ctx-server_name = Curl_sasl_build_spn(HTTP, -proxy ? conn-proxy.name : -conn-host.name); +neg_ctx-server_name = + Curl_sasl_build_spn(proxy ? HTTP : data-set.str[STRING_SERVICE_NAME], + proxy ? conn-proxy.name : conn-host.name); if(!neg_ctx-server_name) return CURLE_OUT_OF_MEMORY; } diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c index 8e575c2..43ae4da 100644 --- a/lib/socks_gssapi.c +++ b/lib/socks_gssapi.c @@ -120,7 +120,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex, unsigned short us_length; char *user=NULL; unsigned char socksreq[4]; /* room for GSS-API exchange header only */ - char *serviceptr = data-set.str[STRING_SOCKS5_GSSAPI_SERVICE]; + char *serviceptr = data-set.str[STRING_PROXY_SERVICE_NAME]; /* GSS-API request looks like * ++--+-++ diff --git a/lib/socks_sspi.c b/lib/socks_sspi.c index a7708b2..c9499c9 100644 --- a/lib/socks_sspi.c +++ b/lib/socks_sspi.c @@ -83,7 +83,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex, unsigned short us_length; unsigned long qop; unsigned char socksreq[4]; /* room for GSS-API exchange header only */ - char *service = data-set.str[STRING_SOCKS5_GSSAPI_SERVICE]; + char *service = data-set.str[STRING_PROXY_SERVICE_NAME]; /* GSS-API request looks like * ++--+-++ diff --git a/lib/url.c b/lib/url.c index 018bb88..c640e52 100644 --- a/lib/url.c +++ b/lib/url.c @@ -572,8 +572,14 @@ CURLcode
Re: How to set service name for SPNEGO?
Steve, many thanks! Your thinking makes total sense to me after looking at the code. Socks5/proxy are indeed separate. I just checked our legal counsel. Unfortunately our policy does not allow me to contribute code into libcurl. I am sorry about that. It would be great if someone else can help to make this change. -Wenlong On Wed, Feb 18, 2015 at 3:11 PM, Steve Holme steve_ho...@hotmail.com wrote: On Tue, 17 Feb 2015, Wenlong Dong wrote: * I'd rather support this across all of our mechanisms that use a SPN (such as Socks 5, SPNEGO, Kerberos, Digest) in each of the GSS-API, SSPI and Native implementations * Possibly deprecate CURLOPT_SOCKS5_GSSAPI_SERVICE (I would suggest a new CURLOPT_SERVICE_NAME or CURLOPT_SPN, etc... option with the same value for API compatibility) * The code has also changed quite a bit since v7.36 (The next release will be 7.41) Steve, thanks a lot for the quick response! Those are great comments. No problem. Let me try to put together a change with what you mentioned. Sound good - I look forward to seeing your proposed changes. In that case CURLOPT_SERVICE_NAME makes more sense. For negotiate/Kerberos, we let the libcurl to append the host name to generate the SPN as servicename/host. Ah - right. Yes - I see your point. Some more random thoughts from me this evening... I wouldn't recommend replacing CURLOPT_SOCKS5_GSSAPI_SERVICE with CURLOPT_SERVICE_NAME as Socks 5 is used as a proxy and a curl user / libcurl programmer might want to set both the proxy and the protocol service name. As such I would recommend something like: * libcurl - replace CURLOPT_SOCKS5_GSSAPI_SERVICE with CURLOPT_PROXY_SERVICE_NAME as it can then be used for HTTP proxy with Kerberos/SPNEGO/Digest and keep CURLOPT_SOCKS5_GSSAPI_SERVICE for backwards API compatibility * libcurl - add CURLOPT_SERVICE_NAME as new value * curl - replace --socks5-gssapi-service with --proxy-service-name and add --socks5-gssapi-service as an alias * curl - add support for --service-name as a new argument Kind Regards Steve --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
RE: How to set service name for SPNEGO?
On Tue, 17 Feb 2015, Wenlong Dong wrote: * I'd rather support this across all of our mechanisms that use a SPN (such as Socks 5, SPNEGO, Kerberos, Digest) in each of the GSS-API, SSPI and Native implementations * Possibly deprecate CURLOPT_SOCKS5_GSSAPI_SERVICE (I would suggest a new CURLOPT_SERVICE_NAME or CURLOPT_SPN, etc... option with the same value for API compatibility) * The code has also changed quite a bit since v7.36 (The next release will be 7.41) Steve, thanks a lot for the quick response! Those are great comments. No problem. Let me try to put together a change with what you mentioned. Sound good - I look forward to seeing your proposed changes. In that case CURLOPT_SERVICE_NAME makes more sense. For negotiate/Kerberos, we let the libcurl to append the host name to generate the SPN as servicename/host. Ah - right. Yes - I see your point. Some more random thoughts from me this evening... I wouldn't recommend replacing CURLOPT_SOCKS5_GSSAPI_SERVICE with CURLOPT_SERVICE_NAME as Socks 5 is used as a proxy and a curl user / libcurl programmer might want to set both the proxy and the protocol service name. As such I would recommend something like: * libcurl - replace CURLOPT_SOCKS5_GSSAPI_SERVICE with CURLOPT_PROXY_SERVICE_NAME as it can then be used for HTTP proxy with Kerberos/SPNEGO/Digest and keep CURLOPT_SOCKS5_GSSAPI_SERVICE for backwards API compatibility * libcurl - add CURLOPT_SERVICE_NAME as new value * curl - replace --socks5-gssapi-service with --proxy-service-name and add --socks5-gssapi-service as an alias * curl - add support for --service-name as a new argument Kind Regards Steve --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: How to set service name for SPNEGO?
Steve, thanks a lot for the quick response! Those are great comments. Let me try to put together a change with what you mentioned. In that case CURLOPT_SERVICE_NAME makes more sense. For negotiate/Kerberos, we let the libcurl to append the host name to generate the SPN as servicename/host. On Tue, Feb 17, 2015 at 10:27 AM, Steve Holme steve_ho...@hotmail.com wrote: On Tue, 17 Feb 2015, Steve Holme wrote: As you have found out it isn't too hard to do this. However, * I'd rather support this across all of the server name authentication mechanisms * Possibly deprecate CURLOPT_SOCKS5_GSSAPI_SERVICE * The code hasn't also changed quite a bit since v7.36 My apologies - What I meant to say was: * I'd rather support this across all of our mechanisms that use a SPN (such as Socks 5, SPNEGO, Kerberos, Digest) in each of the GSS-API, SSPI and Native implementations * Possibly deprecate CURLOPT_SOCKS5_GSSAPI_SERVICE (I would suggest a new CURLOPT_SERVICE_NAME or CURLOPT_SPN, etc... option with the same value for API compatibility) * The code has also changed quite a bit since v7.36 (The next release will be 7.41) Sorry for any confusion but I wrote my previous email rather quickly this morning as I was trying to get out the door for an appointment at the hospital :( Kind Regards Steve --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
RE: How to set service name for SPNEGO?
On Tue, 17 Feb 2015, Steve Holme wrote: As you have found out it isn't too hard to do this. However, * I'd rather support this across all of the server name authentication mechanisms * Possibly deprecate CURLOPT_SOCKS5_GSSAPI_SERVICE * The code hasn't also changed quite a bit since v7.36 My apologies - What I meant to say was: * I'd rather support this across all of our mechanisms that use a SPN (such as Socks 5, SPNEGO, Kerberos, Digest) in each of the GSS-API, SSPI and Native implementations * Possibly deprecate CURLOPT_SOCKS5_GSSAPI_SERVICE (I would suggest a new CURLOPT_SERVICE_NAME or CURLOPT_SPN, etc... option with the same value for API compatibility) * The code has also changed quite a bit since v7.36 (The next release will be 7.41) Sorry for any confusion but I wrote my previous email rather quickly this morning as I was trying to get out the door for an appointment at the hospital :( Kind Regards Steve --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
RE: How to set service name for SPNEGO?
On Tue, 17 Feb 2015, Wenlong Dong wrote: I investigated this further and could not find out a good way to set the service identiy/name. Unfortunately there isn't at the moment - not at least for the HTTP or SASL based protocols. The closest we have to it at the moment is CURLOPT_SOCKS5_GSSAPI_SERVICE. So I went ahead and created this simple diff http://www.pastebin.ca/2929587 on top of libcurl version 7.36.0. Basically I added a new curl option CURLOPT_NEGOTIATE_SERVICE_IDENTITY for people to specify a custom service identity. Could this feature be added to libcurl? As you have found out it isn't too hard to do this. However, * I'd rather support this across all of the server name authentication mechanisms * Possibly deprecate CURLOPT_SOCKS5_GSSAPI_SERVICE * The code hasn't also changed quite a bit since v7.36 Are you able to help us out and work on such a feature? Kind Regards Steve --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: How to set service name for SPNEGO?
I investigated this further and could not find out a good way to set the service identiy/name. So I went ahead and created this simple diff http://www.pastebin.ca/2929587 on top of libcurl version 7.36.0. Basically I added a new curl option CURLOPT_NEGOTIATE_SERVICE_IDENTITY for people to specify a custom service identity. Could this feature be added to libcurl? Best regards, -Wenlong On Mon, Feb 16, 2015 at 8:42 AM, Wenlong Dong wdon...@gmail.com wrote: Hi, Is there a way to set a custom service name for SPNEGO? I have a service deployed with a custom service principal which does not have HTTP as the service name, for example, foo.service/hostname@realm. Is it possible to configure this name from libcurl? I checked http.c and found this code: if(neg_ctx-server_name == NULL (ret = get_gss_name(conn, proxy, neg_ctx-server_name))) return ret; Is this neg_ctx-server_name settable from a CURLOPT_* option? Any help would be highly appreciated! Best regards, -Wenlong --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html