From: Junio C Hamano [mailto:jch2...@gmail.com] On Behalf Of Junio C Hamano
> Enrique Tobis <enrique.to...@twosigma.com> writes: >> Hey! >> >> I'm really sorry to hear that. >> >> That change should enable more forms of authentication with your >> proxy, but it does cause libcurl to choose the one it finds most >> secure, according to the docs >> (http://curl.haxx.se/libcurl/c/CURLOPT_HTTPAUTH.html) What kinds of >> authentication does your proxy use? > Good line of thought. The answer would reveal what non-working > authentication form the proxy claims to support is chosen because libcurl > considers more secure than the one the user wants to use. > I'd imagine that the next step after that would be to make the list of > authentication forms configurable so that the user can say "hey my proxy > claims to support this one but it does not work" to skip it? > That sounds like a similar approach as what we did for SSL ciphers in > f6f2a9e4 (http: add support for specifying an SSL cipher list, 2015-05-08) where some people had problems with certain cipher the server/client claimed to support when it was in fact broken. > Thanks. @Junio: I agree. From the post in the cygwin mailing list that Johan mentioned, the problem seems to be that the proxy supports NEGOTIATE, NTLM and Basic, and libcurl is choosing NEGOTIATE. That choice fails for that user. There is something I don't understand, though. Johan must be configuring his proxy either a) through git config files; or b) through environment variables. Johan says his proxy uses NTLM authentication. If he is doing a), then my change should not have had any impact. We were already setting CURLOPT_PROXYAUTH to CURLAUTH_ANY in that case. If it's b), then his proxy couldn't have been using NTLM authentication. In the old code path, only _BASIC was available as an authentication mechanism. That default is what prompted me to make the change in the first place. @Johan: how are you configuring your proxy? Git configuration or environment variables? Also, could you run GIT_CURL_VERBOSE=1 git pull and send the output. That should show the failing authentication method. Thanks. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
