Jeff King <p...@peff.net> writes: > The auto mode may incur an extra round-trip over setting > http.emptyauth=true, because part of the emptyauth hack is > to feed this blank password to curl even before we've made a > single request.
IOW, people who care about an extra round-trip have this workaround, which is good. This, along with the possible security implications, may want to be added to the documentation but that is outside the topic of this change, and I think we would want to see such an update come from those who actually use NTLM (or Kerberos, but they know they have minimum security implications). > +#ifndef LIBCURL_CAN_HANDLE_AUTH_ANY > + /* > + * Our libcurl is too old to do AUTH_ANY in the first place; > + * just default to turning the feature off. > + */ > +#else > + /* > + * In the automatic case, kick in the empty-auth > + * hack as long as we would potentially try some > + * method more exotic than "Basic" or "Digest". > + * > + * But only do this when this is our second or > + * subsequent * request, as by then we know what I'll drop the '*' that you left while line-wrapping ;-) > + * methods are available. > + */ Thanks. This looks good.
