Bug 1335182 - [RFE] curl should support NTLMv2
Summary: [RFE] curl should support NTLMv2
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: curl
Version: 6.9
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-11 13:41 UTC by Piyush Bhoot
Modified: 2019-12-16 05:46 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-12 09:25:51 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Piyush Bhoot 2016-05-11 13:41:31 UTC 
Description of problem:
It would be nice to have NTLMv2 in RHEL 6
NTLMv1 has vulnerabilities and not relied upon.

Although it is late in RHEL 6 lifecycle for RFE but this 
presence of NTLMv1 is of no use due to its vulnerability.

Customers dont plan to switch to RHEL 7 for some more years,
RHEL 7 curl has 
Version-Release number of selected component (if applicable):

RHEL 6

 curl -V
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp 
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz 

RHEL 7

curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.15.4 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz
Comment 1 Kamil Dudka 2016-05-11 14:25:26 UTC 
It is too late to implement a new authentication mechanism in RHEL-6 curl.  RHEL-6.8 was the last feature release of RHEL-6.

RHEL-6 curl is based on curl-7.19.7 whereas NTLMv2 was introduced upstream in curl-7_36_0~287 (after more than 4 years of code evolution):

    https://github.com/curl/curl/commit/curl-7_36_0~287

We already had to backport upstream patches to support NTLMv1 in RHEL-6 curl (bug #606819).  Introducing the support for NTLMv2 would imply a major code rewrite and high risk of breaking existing systems of our customers.

Please suggest the customer(s) to try the httpd24-curl-7.47.1-1.1.el6 package from the upcoming version of the httpd24 RHSCL (bug #1282396).  It comes with many features that were introduced in upstream curl recently.
Comment 6 Kamil Dudka 2016-06-01 14:05:57 UTC 
(In reply to Kamil Dudka from comment #1)
> Please suggest the customer(s) to try the httpd24-curl-7.47.1-1.1.el6
> package from the upcoming version of the httpd24 RHSCL (bug #1282396).  It
> comes with many features that were introduced in upstream curl recently.

RHSCL 2.2, which includes the httpd24-curl package has just been released:

https://access.redhat.com/documentation/en-US/Red_Hat_Software_Collections/2/html/2.2_Release_Notes/chap-RHSCL.html#sect-RHSCL-Changes-httpd
Note You need to log in before you can comment on or make changes to this bug.