subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bert Huijben" <b...@qqmail.nl>
Subject RE: Proxy authentication with Negotiate uses wrong host
Date Wed, 24 Aug 2011 09:52:45 GMT

> -----Original Message-----
> From: 1983-01-06@gmx.net [mailto:1983-01-06@gmx.net]
> Sent: woensdag 24 augustus 2011 10:47
> To: users@subversion.apache.org
> Subject: Re: Proxy authentication with Negotiate uses wrong host
> 
> > On Wed, Aug 24, 2011 at 09:25:49AM +0200, 1983-01-06@gmx.net wrote:
> > > I'll do but why is Negotiate auth activated in session.c if the target
> > host is ssy only? This should be on the user to decide not subversion.
> >
> > I don't know who made this decision and why.
> > Maybe svn blame on that file leads to more info?
> 
> I checked blame already. There was a rather long explanation but still no
> argument to me.

The Subversion parts of this code were written when neon only supported NTLM via Negotiate.
NTLM is known to be insecure when not used over https.

Then somebody added Kerberos support to neon, but the api wasn't updated to allow different
behavior for the specific implementations.

As Stefan already noted: this discussion belongs on the neon mailinglist. Once neon supports
the necessary hooks/apis to enable Negotiate for the secure protocols we can enable them in
Subversion. 
(Or maybe neon can just enable the safe protocols all the time?)


@serf developers: This should probably be handled in serf too.

	Bert 


Mime
View raw message