[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Proxy authentication with Negotiate uses wrong host

From: Greg Hudson <ghudson_at_MIT.EDU>
Date: Wed, 24 Aug 2011 07:28:37 -0400

On Wed, 2011-08-24 at 05:52 -0400, Bert Huijben wrote:
> Then somebody added Kerberos support to neon, but the api wasn't
> updated to allow different behavior for the specific implementations.

Kerberos via HTTP negotiate is also insecure when not used over HTTPS.
In HTTP negotiate, the GSSAPI mechanism (Kerberos) isn't used to protect
the data stream, only to authenticate. So you still need a secure
channel.

(Also, negotiate auth does no channel binding, which means Kerberos
provides no additional protection against MITM attacks on the TLS
channel. That just means it's still important for the client to verify
the server cert. I've heard that Microsoft has some extensions to RFC
4559 to do channel binding, but I don't know any details and Neon almost
certainly doesn't have any support for it.)
Received on 2011-08-24 13:29:32 CEST

This is an archived mail posted to the Subversion Dev mailing list.