Re: SASL LOGIN mechanism
On 02/14/2018 09:04 PM, Ray Satiro wrote: Obviously the server does not require the password because the client certificate authentication takes precedence; the AUTH command is however needed before being able to use other commands. This looks like a deviance from the description (https://tools.ietf.org/html/draft-murchison-sasl-login-00), that has been written "a posteriori" (probably by reverse engineering) and has not become a standard. This document does not describe the case when the password is not needed. Interesting. If it's EXTERNAL then aren't you already logged in? No, you're not. Servers that allow EXTERNAL should receive an explicit AUTH EXTERNAL command to be logged in. This server does not support EXTERNAL, but behaves as such with other authentication methods (this is quite clever since many clients do not support EXTERNAL). Where is LOGIN prioritized over PLAIN and is there any effect of that on this issue? Priority is determined by the order of "else if" blocks starting at https://github.com/curl/curl/blob/43a50a2580db2bfb28483a96964ae27b584472da/lib/curl_sasl.c#L292. The only effect would be PLAIN will be chosen by curl instead of LOGIN if both are supported by the server. This does not impact the "no LOGIN password" problem, but will avoid using LOGIN if PLAIN is available. --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
Re: SASL LOGIN mechanism
On 2/13/2018 7:48 PM, Patrick Monnerat wrote: > I've recently been facing a special case: a pop3 server (dovecot) with > a TLS-upgraded connection and client certificate does not require the > password when the LOGIN authentication mechanism is used, effectively > behaving as if it was an EXTERNAL authentication. > > > AUTH LOGIN > < + VXNlcm5hbWU6 > > dXNlcg== > < +OK Logged in. > > Obviously the server does not require the password because the client > certificate authentication takes precedence; the AUTH command is > however needed before being able to use other commands. This looks > like a deviance from the description > (https://tools.ietf.org/html/draft-murchison-sasl-login-00), that has > been written "a posteriori" (probably by reverse engineering) and has > not become a standard. This document does not describe the case when > the password is not needed. Interesting. If it's EXTERNAL then aren't you already logged in? I'd ask dovecot team if that's what they intended. > > Currently, curl stops with CURLE_LOGIN_DENIED, treating the positive > response as bad because a continuation is unconditionally expected. > > Should we support this ? If yes, the fix is ready. > > > In addition I would set the LOGIN mechanism a lower priority than the > PLAIN one, as advised in the document mentioned above. > > OK for these changes ? Where is LOGIN prioritized over PLAIN and is there any effect of that on this issue? --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
Re: Callback for socket options in curl + c-ares
Hi folks, I went ahead and created a patch to provide a new libcurl CB, that will be called just before a new resolver is called, and the resolver data (channel in case of cares) is passed. This solves the problem perfectly for my use case. Initially I thought about just adding a new easy_getinfo option to retrieve it, but since libcurl can create easy_handles on it's own, I feel this callback approach is a safer option. Are you guys OK with that approach? If that's ok I can send the pull request for review. Thanks, . .:|:.:|:. Francisco Sedano | CCIE 14859, Tech Lead Software Engineering | CSG Enterprise Access and Services Group (EASG) On 14.02.18, 00:54, "curl-library on behalf of Francisco Sedano Crippa (fsedanoc)"wrote: Hello Daniel, I feel it would be useful in some other cases - for example dealing with multi-vrf sockets, currently you can bind the libcurl socket to any vrf you want, but no way to do that with the underlying c-ares. Wouldn't be enough to provide access to the c-ares channel (which is in curl_easy->state.resolver if I'm not wrong)? Once I create my easy socket and the c-ares channel is created, I could just use ares_set_socket_configure_callback on the channel and I'd be done. Anything else I'm missing? Thanks, . .:|:.:|:. Francisco Sedano | CCIE 14859, Tech Lead Software Engineering | CSG Enterprise Access and Services Group (EASG) On 13.02.18, 23:49, "curl-library on behalf of Daniel Stenberg" wrote: On Tue, 13 Feb 2018, Francisco Sedano Crippa (fsedanoc) wrote: > Ideally I’d like to setup a callback with > ares_set_socket_configure_callback(), but in order to do so, I need access > to internal libcurl c-ares channel, which is embedded in the Curl_easy > structure. > > Is there any way to access such c-ares channel so I can properly intercept > c-ares socket usage, like we can do with CURLOPT_OPENSOCKETFUNCTION in > libcurl? No, that's something we've not felt the need for before... I can't think of any other way to offer such a feature than to add a special and dedicated "set socket options" callback for c-ares or perhaps rather for "the resolver back-end". (There's work ongoing in making the resolver back-end totally pluggable which then possibly also appreciate such an ability.) -- / daniel.haxx.se --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
Re: SFTP error when using proxy with curl
On Wed, Feb 14, 2018 at 05:24:11PM +0530, Nazeem Shereef wrote: > I can connect to sftp server through the same proxy using SFTP command. So the > issue is not with the proxy server. > > It is a socks proxy and if I use an HTTPS proxy I can connect to the sftp > server via curl. So does this means curl won't support SOCKS proxy? curl supports many variants of SOCKS proxies for most protocols, but the logs show that you've specified an HTTP proxy. There are different options to specify SOCKS. >>> Dan --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
Re: SFTP error when using proxy with curl
I can connect to sftp server through the same proxy using SFTP command. So the issue is not with the proxy server. It is a socks proxy and if I use an HTTPS proxy I can connect to the sftp server via curl. So does this means curl won't support SOCKS proxy? On 14 Feb 2018 3:31 pm, "Daniel Stenberg"wrote: On Wed, 14 Feb 2018, Nazeem Shereef wrote: CONNECT my-ftp-server.tld:22 HTTP/1.1 >> > * Proxy CONNECT aborted > Your proxy didn't allow you to do a CONNECT to that server on that port. -- / daniel.haxx.se --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
Re: SFTP error when using proxy with curl
On Wed, 14 Feb 2018, Nazeem Shereef wrote: CONNECT my-ftp-server.tld:22 HTTP/1.1 * Proxy CONNECT aborted Your proxy didn't allow you to do a CONNECT to that server on that port. -- / daniel.haxx.se --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
Re: SFTP error when using proxy with curl
Compiled the latest version 7.58.0 and now different error. please advice. # ./curl -V curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.0.1e zlib/1.2.3 libssh2/1.8.0 Release-Date: 2018-01-24 Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS Largefile NTLM NTLM_WB SSL libz UnixSockets HTTPS-proxy # curl -vvv -x my-socks-proxy.tld:1080 sftp://my-ftp-server.tld/ -u ftp-userEnter host password for user 'ftp-user': * Trying 10.10.10.51... * TCP_NODELAY set * Connected to my-socks-proxy.tld (10.10.10.51) port 1080 (#0) * allocate connect buffer! * Establish HTTP proxy tunnel to my-ftp-server.tld:22 * Server auth using Basic with user 'ftp-user' > CONNECT my-ftp-server.tld:22 HTTP/1.1 > Host: my-ftp-server.tld:22 > User-Agent: curl/7.58.0 > Proxy-Connection: Keep-Alive > * Proxy CONNECT aborted * CONNECT phase completed! * Connection #0 to host my-socks-proxy.tld left intact On 14 Feb 2018 1:32 pm, "Daniel Stenberg"wrote: On Wed, 14 Feb 2018, Nazeem Shereef wrote: Installed latest curl available for RHEL6(curl-7.31.0-23.2.x86_64) but it > doesn't have sftp support > You need a "libssh2-dev" package (or a name similar to that) to build curl with libssh2 support. But note that curl 7.31.0 is also old (approaching 5 years). I would rather suggest you build from a release tarball instead. -- / daniel.haxx.se --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
Re: SFTP error when using proxy with curl
On Wednesday, February 14, 2018 8:48:50 AM CET Nazeem Shereef wrote: > Installed latest curl available for RHEL6(curl-7.31.0-23.2.x86_64) Available where? You do not seem to be using any packages provided by Red Hat, neither the upstream distribution of curl. I am afraid you are out of support here. Kamil --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
Re: SFTP error when using proxy with curl
On Wed, 14 Feb 2018, Nazeem Shereef wrote: Installed latest curl available for RHEL6(curl-7.31.0-23.2.x86_64) but it doesn't have sftp support You need a "libssh2-dev" package (or a name similar to that) to build curl with libssh2 support. But note that curl 7.31.0 is also old (approaching 5 years). I would rather suggest you build from a release tarball instead. -- / daniel.haxx.se --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html