[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Proxy authentication with Negotiate uses wrong host

From: Bert Huijben <bert_at_qqmail.nl>
Date: Wed, 24 Aug 2011 11:52:45 +0200

> -----Original Message-----
> From: 1983-01-06_at_gmx.net [mailto:1983-01-06_at_gmx.net]
> Sent: woensdag 24 augustus 2011 10:47
> To: users_at_subversion.apache.org
> Subject: Re: Proxy authentication with Negotiate uses wrong host
> > On Wed, Aug 24, 2011 at 09:25:49AM +0200, 1983-01-06_at_gmx.net wrote:
> > > I'll do but why is Negotiate auth activated in session.c if the target
> > host is ssy only? This should be on the user to decide not subversion.
> >
> > I don't know who made this decision and why.
> > Maybe svn blame on that file leads to more info?
> I checked blame already. There was a rather long explanation but still no
> argument to me.

The Subversion parts of this code were written when neon only supported NTLM via Negotiate. NTLM is known to be insecure when not used over https.

Then somebody added Kerberos support to neon, but the api wasn't updated to allow different behavior for the specific implementations.

As Stefan already noted: this discussion belongs on the neon mailinglist. Once neon supports the necessary hooks/apis to enable Negotiate for the secure protocols we can enable them in Subversion.
(Or maybe neon can just enable the safe protocols all the time?)

@serf developers: This should probably be handled in serf too.

Received on 2011-08-24 11:53:28 CEST

This is an archived mail posted to the Subversion Dev mailing list.