RE: Proxy authentication with Negotiate uses wrong host

> -----Original Message-----
> From: 1983-01-06_at_gmx.net [mailto:1983-01-06_at_gmx.net]
> Sent: woensdag 24 augustus 2011 10:47
> To: users_at_subversion.apache.org
> Subject: Re: Proxy authentication with Negotiate uses wrong host
>
> > On Wed, Aug 24, 2011 at 09:25:49AM +0200, 1983-01-06_at_gmx.net wrote:
> > > I'll do but why is Negotiate auth activated in session.c if the target
> > host is ssy only? This should be on the user to decide not subversion.
> >
> > I don't know who made this decision and why.
> > Maybe svn blame on that file leads to more info?
>
> I checked blame already. There was a rather long explanation but still no
> argument to me.

The Subversion parts of this code were written when neon only supported NTLM via Negotiate. NTLM is known to be insecure when not used over https.

Then somebody added Kerberos support to neon, but the api wasn't updated to allow different behavior for the specific implementations.

As Stefan already noted: this discussion belongs on the neon mailinglist. Once neon supports the necessary hooks/apis to enable Negotiate for the secure protocols we can enable them in Subversion.
(Or maybe neon can just enable the safe protocols all the time?)

@serf developers: This should probably be handled in serf too.

        Bert
Received on 2011-08-24 11:53:28 CEST