[PATCH] Fix SPNEGO interoperability with servers implementing RFC2478
nico at cryptonector.com
Mon Aug 4 17:03:07 EDT 2014
On Mon, Aug 04, 2014 at 08:30:46PM +0100, David Woodhouse wrote:
> On Mon, 2014-08-04 at 14:27 -0500, Nico Williams wrote:
> > On Mon, Aug 04, 2014 at 08:20:08PM +0100, David Woodhouse wrote:
> > > On Mon, 2014-08-04 at 14:01 -0500, Nico Williams wrote:
> > > > You should be able to
> > >
> > > ... patch every application in the system, including third party apps
> > > like Google Chrome, to ...
> > >
> > > > gss_set_neg_mechs() to disable offering mechanisms you can't / don't
> > > > want to use.
> > >
> > > :(
> > Yeah, we have a problem :(
> > One option might be to require calling gss_set_neg_mechs() to enable
> > offering mechanisms other than Kerberos and NTLM. Greg?
> Perhaps. But it's still a workaround. And I do have cases where I
> actually need to fall back from Kerberos to NTLM. Thus still leaving me
> with the *real* problem that SPNEGO isn't interoperating properly...
To help any further I'd have to swap in the RFC4178 background.
I thought these issues had been addressed in the RFC. Without swapping
all that state back in I'd suspect that MIT doesn't implement it
More information about the krbdev