Description of problem:
It would be nice to have NTLMv2 in RHEL 6
NTLMv1 has vulnerabilities and not relied upon.
Although it is late in RHEL 6 lifecycle for RFE but this
presence of NTLMv1 is of no use due to its vulnerability.
Customers dont plan to switch to RHEL 7 for some more years,
RHEL 7 curl has
Version-Release number of selected component (if applicable):
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/184.108.40.206 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.15.4 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz
It is too late to implement a new authentication mechanism in RHEL-6 curl. RHEL-6.8 was the last feature release of RHEL-6.
RHEL-6 curl is based on curl-7.19.7 whereas NTLMv2 was introduced upstream in curl-7_36_0~287 (after more than 4 years of code evolution):
We already had to backport upstream patches to support NTLMv1 in RHEL-6 curl (bug #606819). Introducing the support for NTLMv2 would imply a major code rewrite and high risk of breaking existing systems of our customers.
Please suggest the customer(s) to try the httpd24-curl-7.47.1-1.1.el6 package from the upcoming version of the httpd24 RHSCL (bug #1282396). It comes with many features that were introduced in upstream curl recently.
(In reply to Kamil Dudka from comment #1)
> Please suggest the customer(s) to try the httpd24-curl-7.47.1-1.1.el6
> package from the upcoming version of the httpd24 RHSCL (bug #1282396). It
> comes with many features that were introduced in upstream curl recently.
RHSCL 2.2, which includes the httpd24-curl package has just been released: