> -----Original Message-----
> From: 1983-01...@gmx.net [mailto:1983-01...@gmx.net]
> Sent: woensdag 24 augustus 2011 10:47
> To: users@subversion.apache.org
> Subject: Re: Proxy authentication with Negotiate uses wrong host
>
> > On Wed, Aug 24, 2011 at 09:25:49AM +0200, 1983-01...@gmx.net wrote:
> > > I'll do but why is Negotiate auth activated in session.c if the target
> > host is ssy only? This should be on the user to decide not subversion.
> >
> > I don't know who made this decision and why.
> > Maybe svn blame on that file leads to more info?
>
> I checked blame already. There was a rather long explanation but still no
> argument to me.
The Subversion parts of this code were written when neon only supported NTLM
via Negotiate. NTLM is known to be insecure when not used over https.
Then somebody added Kerberos support to neon, but the api wasn't updated to
allow different behavior for the specific implementations.
As Stefan already noted: this discussion belongs on the neon mailinglist. Once
neon supports the necessary hooks/apis to enable Negotiate for the secure
protocols we can enable them in Subversion.
(Or maybe neon can just enable the safe protocols all the time?)
@serf developers: This should probably be handled in serf too.
Bert
