From: Daniel Stenberg Date: Fri, 17 Oct 2025 14:54:57 +0000 (+0200) Subject: KNOWN_BUGS: SOCKS-SSPI discards the security context X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ba34f6eb6637066094156ee30bb6a6abb0ae0893;p=thirdparty%2Fcurl.git KNOWN_BUGS: SOCKS-SSPI discards the security context Also make the verbose log say it Pointed out by ZeroPath --- diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS index d4e4423094..15ca40102a 100644 --- a/docs/KNOWN_BUGS +++ b/docs/KNOWN_BUGS @@ -67,6 +67,7 @@ problems may have been fixed or changed somewhat since this was written. 10. Connection 10.1 --interface with link-scoped IPv6 address 10.2 Does not acknowledge getaddrinfo sorting policy + 10.3 SOCKS-SSPI discards the security context 11. Internals 11.1 gssapi library name + version is missing in curl_version_info() @@ -444,6 +445,15 @@ problems may have been fixed or changed somewhat since this was written. https://github.com/curl/curl/issues/16718 + +10.3 SOCKS-SSPI discards the security context + + After a successful SSPI/GSS-API exchange, the function queries and logs the + authenticated username and reports the supported data-protection level, but + then immediately deletes the negotiated SSPI security context and frees the + credentials before returning. The negotiated context is not stored on the + connection and is therefore never used to protect later SOCKS5 traffic. + 11. Internals 11.1 gssapi library name + version is missing in curl_version_info() diff --git a/lib/socks_sspi.c b/lib/socks_sspi.c index 54049e8c99..6e40adb7ad 100644 --- a/lib/socks_sspi.c +++ b/lib/socks_sspi.c @@ -562,7 +562,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, } (void)curlx_nonblock(sock, TRUE); - infof(data, "SOCKS5 access with%s protection granted.", + infof(data, "SOCKS5 access with%s protection granted BUT NOT USED.", (socksreq[0] == 0) ? "out GSS-API data": ((socksreq[0] == 1) ? " GSS-API integrity" : " GSS-API confidentiality"));