According to RFC 2617, the server may either send multiple WWW-Authenticate Headers or a single WWW-Authenticate Header with multiple challenges. In such a case, it is advisable to select the most secure protocol known by the client for authentication.
Wget, however uses only the first challenge it sees and begins sending the challenge response. This can be easily replicated through the Test-auth-both test in the new Test Environment I'm writing and is available at: https://www.github.com/darnir/wget-gsoc My question is, are we interested in fixing this or do we just let it be? -- Thanking You, Darshit Shah
