Reflect recent changes in SPNEGO and GSS-API code in the docs.
Update them with appropriate namings and remove visible spots for
GSS-Negotiate.
POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP.
libcurl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading,
- kerberos, HTTP form based upload, proxies, cookies, user+password
+ Kerberos, SPNEGO, HTTP form based upload, proxies, cookies, user+password
authentication, file transfer resume, http proxy tunneling and more!
libcurl is highly portable, it builds and works identically on numerous
- platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HPUX,
+ platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HP-UX,
IRIX, AIX, Tru64, Linux, UnixWare, HURD, Windows, Amiga, OS/2, BeOS, Mac
OS X, Ultrix, QNX, OpenVMS, RISC OS, Novell NetWare, DOS, Symbian, OSF,
Android, Minix, IBM TPF and more...
- POST
- Pipelining
- multipart formpost (RFC1867-style)
- - authentication: Basic, Digest, NTLM (*9), Negotiate (*3) and to server and
- proxy
+ - authentication: Basic, Digest, NTLM (*9) and Negotiate (SPNEGO) (*3)
+ to server and proxy
- resume (both GET and PUT)
- follow redirects
- maximum amount of redirects to follow
- download
- authentication
- kerberos4 (*5)
- - kerberos5 (*3)
+ - Kerberos 5 (*14)
- active/passive using PORT, EPRT, PASV or EPSV
- single file size information (compare to HTTP HEAD)
- 'type=' URL support
*1 = requires OpenSSL, GnuTLS, NSS, yassl, axTLS, PolarSSL, WinSSL (native
Windows), Secure Transport (native iOS/OS X) or qssl (native IBM i)
*2 = requires OpenLDAP
- *3 = requires a GSSAPI-compliant library, such as Heimdal or similar
+ *3 = requires a GSS-API implementation (such as Heimdal or MIT Kerberos) or
+ SSPI (native Windows)
*4 = requires nghttp2 and possibly a recent TLS library
*5 = requires a krb4 library, such as the MIT one or similar
*6 = requires c-ares
*12 = requires libz
*13 = requires libmetalink, and either an Apple or Microsoft operating
system, or OpenSSL, or GnuTLS, or NSS
+ *14 = requires a GSS-API implementation (such as Heimdal or MIT Kerberos)
acknowledged after the actual TCP connect (during the SOCKS "negotiate"
phase).
-10. To get HTTP Negotiate authentication to work fine, you need to provide a
- (fake) user name (this concerns both curl and the lib) because the code
- wrongly only considers authentication if there's a user name provided.
+10. To get HTTP Negotiate (SPNEGO) authentication to work fine, you need to
+ provide a (fake) user name (this concerns both curl and the lib) because the
+ code wrongly only considers authentication if there's a user name provided.
http://curl.haxx.se/bug/view.cgi?id=440 How?
http://curl.haxx.se/mail/lib-2004-08/0182.html
curl -u name:passwd http://machine.domain/full/path/to/file
HTTP offers many different methods of authentication and curl supports
- several: Basic, Digest, NTLM and Negotiate. Without telling which method to
- use, curl defaults to Basic. You can also ask curl to pick the most secure
- ones out of the ones that the server accepts for the given URL, by using
- --anyauth.
+ several: Basic, Digest, NTLM and Negotiate (SPNEGO). Without telling which
+ method to use, curl defaults to Basic. You can also ask curl to pick the
+ most secure ones out of the ones that the server accepts for the given URL,
+ by using --anyauth.
NOTE! According to the URL specification, HTTP URLs can not contain a user
and password, so that style will not work when using curl via a proxy, even
.\" *
.\" **************************************************************************
.\"
-.TH curl 1 "27 July 2012" "Curl 7.27.0" "Curl Manual"
+.TH curl 1 "2 Aug 2014" "Curl 7.38.0" "Curl Manual"
.SH NAME
curl \- transfer a URL
.SH SYNOPSIS
should be one of 'clear', 'safe', 'confidential', or 'private'. Should you use
a level that is not one of these, 'private' will instead be used.
-This option requires a library built with kerberos4 or GSSAPI
-(GSS-Negotiate) support. This is not very common. Use \fI-V, --version\fP to
-see if your curl supports it.
+This option requires a library built with kerberos4 support. This is not
+very common. Use \fI-V, --version\fP to see if your curl supports it.
If this option is used several times, the last one will be used.
.IP "-l, --list-only"
\fBoptional\fP and not mandatory as the \fI--netrc\fP option does.
.IP "--negotiate"
-(HTTP) Enables GSS-Negotiate authentication. The GSS-Negotiate method was
-designed by Microsoft and is used in their web applications. It is primarily
-meant as a support for Kerberos5 authentication but may be also used along
-with another authentication method. For more information see IETF draft
-draft-brezak-spnego-http-04.txt.
+(HTTP) Enables Negotiate (SPNEGO) authentication.
-If you want to enable Negotiate for your proxy authentication, then use
+If you want to enable Negotiate (SPNEGO) for proxy authentication, then use
\fI--proxy-negotiate\fP.
-This option requires a library built with GSSAPI support. This is
-not very common. Use \fI-V, --version\fP to see if your version supports
-GSS-Negotiate.
+This option requires a library built with GSS-API or SSPI support. Use \fI-V,
+--version\fP to see if your curl supports GSS-API/SSPI and SPNEGO.
When using this option, you must also provide a fake \fI-u, --user\fP option to
activate the authentication code properly. Sending a '-u :' is enough as the
Tells curl to use HTTP Digest authentication when communicating with the given
proxy. Use \fI--digest\fP for enabling HTTP Digest with a remote host.
.IP "--proxy-negotiate"
-Tells curl to use HTTP Negotiate authentication when communicating
-with the given proxy. Use \fI--negotiate\fP for enabling HTTP Negotiate
+Tells curl to use HTTP Negotiate (SPNEGO) authentication when communicating
+with the given proxy. Use \fI--negotiate\fP for enabling HTTP Negotiate (SPNEGO)
with a remote host. (Added in 7.17.1)
.IP "--proxy-ntlm"
Tells curl to use HTTP NTLM authentication when communicating with the given
sockd/real-name would use sockd/real-name for cases where the proxy-name does
not match the principal name. (Added in 7.19.4).
.IP "--socks5-gssapi-nec"
-As part of the gssapi negotiation a protection mode is negotiated. RFC 1961
+As part of the GSS-API negotiation a protection mode is negotiated. RFC 1961
says in section 4.3/4.4 it should be protected, but the NEC reference
implementation does not. The option \fI--socks5-gssapi-nec\fP allows the
unprotected exchange of the protection mode negotiation. (Added in 7.19.4).
Automatic decompression of compressed files over HTTP is supported.
.IP "NTLM"
NTLM authentication is supported.
-.IP "GSS-Negotiate"
-Negotiate authentication and krb5 for FTP is supported.
.IP "Debug"
This curl uses a libcurl built with Debug. This enables more error-tracking
and memory debugging etc. For curl-developers only!
.IP "AsynchDNS"
This curl uses asynchronous name resolves.
.IP "SPNEGO"
-SPNEGO Negotiate authentication is supported.
+SPNEGO authentication is supported.
.IP "Largefile"
This curl supports transfers of large files, files larger than 2GB.
.IP "IDN"
This curl supports IDN - international domain names.
+.IP "GSS-API"
+GSS-API is supported.
.IP "SSPI"
-SSPI is supported. If you use Negotiate or NTLM authentication and set a blank
-user name, curl will authenticate with your current user and password.
+SSPI is supported.
.IP "TLS-SRP"
SRP (Secure Remote Password) authentication is supported for TLS.
.IP "Metalink"
.\" *
.\" **************************************************************************
.\"
-.TH curl_version_info 3 "18 Feb 2014" "libcurl 7.33.0" "libcurl Manual"
+.TH curl_version_info 3 "2 Aug 2014" "libcurl 7.38.0" "libcurl Manual"
.SH NAME
curl_version_info - returns run-time libcurl version info
.SH SYNOPSIS
letters. (Added in 7.12.0)
.IP CURL_VERSION_SSPI
libcurl was built with support for SSPI. This is only available on Windows and
-makes libcurl use Windows-provided functions for NTLM authentication. It also
-allows libcurl to use the current user and the current user's password without
+makes libcurl use Windows-provided functions for NTLM, SPNEGO and SASL DIGEST-MD5
+authentication. It also allows libcurl to use the current user credentials without
the app having to pass them on. (Added in 7.13.2)
+.IP CURL_VERSION_GSSAPI
+libcurl was built with support for GSS-API. This makes libcurl use provided
+functions for Kerberos and SPNEGO authentication. It also allows libcurl
+to use the current user credentials without the app having to pass them on.
+(Added in 7.38.0)
.IP CURL_VERSION_CONV
libcurl was built with support for character conversions, as provided by the
CURLOPT_CONV_* callbacks. (Added in 7.15.4)
.\" *
.\" **************************************************************************
.\"
-.TH libcurl-tutorial 3 "4 Mar 2009" "libcurl" "libcurl programming"
+.TH libcurl-tutorial 3 "2 Aug 2014" "libcurl" "libcurl programming"
.SH NAME
libcurl-tutorial \- libcurl programming tutorial
.SH "Objective"
password in clear-text in the HTTP request, base64-encoded. This is insecure.
At the time of this writing, libcurl can be built to use: Basic, Digest, NTLM,
-Negotiate, GSS-Negotiate and SPNEGO. You can tell libcurl which one to use
+Negotiate (SPNEGO). You can tell libcurl which one to use
with \fICURLOPT_HTTPAUTH(3)\fP as in:
curl_easy_setopt(easyhandle, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST);
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_HTTPAUTH 3 "19 Jun 2014" "libcurl 7.37.0" "curl_easy_setopt options"
+.TH CURLOPT_HTTPAUTH 3 "2 Aug 2014" "libcurl 7.38.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_HTTPAUTH \- set HTTP server authentication methods to try
.SH SYNOPSIS
networks than the regular old-fashioned Basic method. The IE flavor is simply
that libcurl will use a special "quirk" that IE is known to have used before
version 7 and that some servers require the client to use.
-.IP CURLAUTH_GSSNEGOTIATE
-HTTP GSS-Negotiate authentication. The GSS-Negotiate (also known as plain
-\&"Negotiate") method was designed by Microsoft and is used in their web
-applications. It is primarily meant as a support for Kerberos5 authentication
-but may also be used along with other authentication methods. For more
-information see IETF draft draft-brezak-spnego-http-04.txt.
+.IP CURLAUTH_NEGOTIATE
+HTTP Negotiate (SPNEGO) authentication. Negotiate authentication is defined
+in RFC 4559 and is the most secure way to perform authentication over HTTP.
-You need to build libcurl with a suitable GSS-API library for this to work.
+You need to build libcurl with a suitable GSS-API library or SSPI on Windows
+for this to work.
.IP CURLAUTH_NTLM
HTTP NTLM authentication. A proprietary protocol invented and used by
Microsoft. It uses a challenge-response and hash concept similar to Digest, to
CURLAUTH_BASIC 7.10.6
CURLAUTH_DIGEST 7.10.6
CURLAUTH_DIGEST_IE 7.19.3
-CURLAUTH_GSSNEGOTIATE 7.10.6
+CURLAUTH_GSSNEGOTIATE 7.10.6 7.38.0
CURLAUTH_NEGOTIATE 7.38.0
CURLAUTH_NONE 7.10.6
CURLAUTH_NTLM 7.10.6
projects / curl / commitdiff