[PATCH] Fix SPNEGO interoperability with servers implementing RFC2478
Nico Williams
nico at cryptonector.com
Mon Aug 4 17:03:07 EDT 2014
On Mon, Aug 04, 2014 at 08:30:46PM +0100, David Woodhouse wrote:
> On Mon, 2014-08-04 at 14:27 -0500, Nico Williams wrote:
> > On Mon, Aug 04, 2014 at 08:20:08PM +0100, David Woodhouse wrote:
> > > On Mon, 2014-08-04 at 14:01 -0500, Nico Williams wrote:
> > > > You should be able to
> > >
> > > ... patch every application in the system, including third party apps
> > > like Google Chrome, to ...
> > >
> > > > gss_set_neg_mechs() to disable offering mechanisms you can't / don't
> > > > want to use.
> > >
> > > :(
> >
> > Yeah, we have a problem :(
> >
> > One option might be to require calling gss_set_neg_mechs() to enable
> > offering mechanisms other than Kerberos and NTLM. Greg?
>
> Perhaps. But it's still a workaround. And I do have cases where I
> actually need to fall back from Kerberos to NTLM. Thus still leaving me
> with the *real* problem that SPNEGO isn't interoperating properly...
To help any further I'd have to swap in the RFC4178 background.
I thought these issues had been addressed in the RFC. Without swapping
all that state back in I'd suspect that MIT doesn't implement it
correctly.
More information about the krbdev
mailing list