Bug 1335182

Summary: [RFE] curl should support NTLMv2
Product: Red Hat Enterprise Linux 6 Reporter: Piyush Bhoot <pbhoot>
Component: curlAssignee: Kamil Dudka <kdudka>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.9CC: pbhoot
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-12 09:25:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Piyush Bhoot 2016-05-11 13:41:31 UTC 
Description of problem:
It would be nice to have NTLMv2 in RHEL 6
NTLMv1 has vulnerabilities and not relied upon.

Although it is late in RHEL 6 lifecycle for RFE but this 
presence of NTLMv1 is of no use due to its vulnerability.

Customers dont plan to switch to RHEL 7 for some more years,
RHEL 7 curl has 
Version-Release number of selected component (if applicable):

RHEL 6

 curl -V
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp 
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz 

RHEL 7

curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.15.4 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz
Comment 1 Kamil Dudka 2016-05-11 14:25:26 UTC 
It is too late to implement a new authentication mechanism in RHEL-6 curl.  RHEL-6.8 was the last feature release of RHEL-6.

RHEL-6 curl is based on curl-7.19.7 whereas NTLMv2 was introduced upstream in curl-7_36_0~287 (after more than 4 years of code evolution):

    https://github.com/curl/curl/commit/curl-7_36_0~287

We already had to backport upstream patches to support NTLMv1 in RHEL-6 curl (bug #606819).  Introducing the support for NTLMv2 would imply a major code rewrite and high risk of breaking existing systems of our customers.

Please suggest the customer(s) to try the httpd24-curl-7.47.1-1.1.el6 package from the upcoming version of the httpd24 RHSCL (bug #1282396).  It comes with many features that were introduced in upstream curl recently.
Comment 6 Kamil Dudka 2016-06-01 14:05:57 UTC 
(In reply to Kamil Dudka from comment #1)
> Please suggest the customer(s) to try the httpd24-curl-7.47.1-1.1.el6
> package from the upcoming version of the httpd24 RHSCL (bug #1282396).  It
> comes with many features that were introduced in upstream curl recently.

RHSCL 2.2, which includes the httpd24-curl package has just been released:

https://access.redhat.com/documentation/en-US/Red_Hat_Software_Collections/2/html/2.2_Release_Notes/chap-RHSCL.html#sect-RHSCL-Changes-httpd