[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: RE: Proxy authentication with Negotiate uses wrong host

From: <1983-01-06_at_gmx.net>
Date: Wed, 24 Aug 2011 12:08:49 +0200


> > -----Original Message-----
> > From: 1983-01-06_at_gmx.net [mailto:1983-01-06_at_gmx.net]
> > Sent: woensdag 24 augustus 2011 10:47
> > To: users_at_subversion.apache.org
> > Subject: Re: Proxy authentication with Negotiate uses wrong host
> >
> > > On Wed, Aug 24, 2011 at 09:25:49AM +0200, 1983-01-06_at_gmx.net wrote:
> > > > I'll do but why is Negotiate auth activated in session.c if the
> target
> > > host is ssy only? This should be on the user to decide not subversion.
> > >
> > > I don't know who made this decision and why.
> > > Maybe svn blame on that file leads to more info?
> >
> > I checked blame already. There was a rather long explanation but still
> no
> > argument to me.
> The Subversion parts of this code were written when neon only supported
> NTLM via Negotiate. NTLM is known to be insecure when not used over https.

I am aware of that. That's why I want to use Kerberos in the first place.
> Then somebody added Kerberos support to neon, but the api wasn't updated
> to allow different behavior for the specific implementations.
> As Stefan already noted: this discussion belongs on the neon mailinglist.
> Once neon supports the necessary hooks/apis to enable Negotiate for the
> secure protocols we can enable them in Subversion.
> (Or maybe neon can just enable the safe protocols all the time?)

Are you suggesting to file another ticket for that?

I would file two:

1. Subversion passes wrong hostname to build the SPN. (Have neon debug output).
2. Allow user to use any auth on any http scheme. Transport security should be user's concern, not subversion's one.


NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!		
Jetzt informieren: http://www.gmx.net/de/go/freephone
Received on 2011-08-25 08:03:10 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.