When using --negotiate with curl on windows, SSL/TLS handshake fails #5881
Description
When using --negotiate (or ntlm) with curl on windows, SSL/TSL handshake fails despite having a valid kerberos ticket cached on my windows 10 (shown below). The same logic and commands works without any issue in Unix/Linux. Any idea/help on how to resolve this issue?
$: Klist
Client: username @ XXXX.XXX
Server: cifs/XXXXXXX.XXX @ XXXXXXX.XXX
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags XXXXXX -> forwardable renewable pre_authent name_canonicalize
Start Time: 8/27/2020 9:46:36 (local)
End Time: 8/27/2020 19:46:33 (local)
Renew Time: 9/27/2020 9:46:33 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: XXXXXXXXX.XXX
>curl --ntlm -u : https://XXXXX.XXX -v
OR
>curl --negotiate -u : https://XXXXX.XXX -v
* Trying xx.xx.xx.xx...
* TCP_NODELAY set
* Connected to xxxx.xxx (xx.xx.xx.xx) port xxx (#0)
* schannel: SSL/TLS connection with xxxx.xxx port xxx (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 186 bytes...
* schannel: sent initial handshake data: sent 186 bytes
* schannel: SSL/TLS connection with xxx.xxx port xxx (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with xxx.xxx port xxx (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with xxx.xxx port xxx (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 5120 length 5120
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with xxx.xxx port xxx (step 2/3)
* schannel: encrypted data got 817
* schannel: encrypted data buffer: offset 5937 length 6144
* schannel: sending next handshake data: sending 126 bytes...
* schannel: SSL/TLS connection with xxx.xxx port xxx (step 2/3)
* schannel: encrypted data got 51
* schannel: encrypted data buffer: offset 51 length 6144
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with xxx.xxx port xxx (step 3/3)
* schannel: stored credential handle in session cache
> GET /login HTTP/1.1
> Host: xxx.xxx
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 915
* schannel: encrypted data buffer: offset 915 length 103424
* schannel: decrypted data length: 852
* schannel: decrypted data added: 852
* schannel: decrypted data cached: offset 852 length 102400
* schannel: encrypted data length: 34
* schannel: encrypted data cached: offset 34 length 103424
* schannel: decrypted data length: 5
* schannel: decrypted data added: 5
* schannel: decrypted data cached: offset 857 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 857 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 857
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 401
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Application-Context: Apixxxxx:x
< X-RateLimit-Limit-Api_login_anonymous: 1000
< X-RateLimit-Remaining-Api_login_anonymous: 999
< X-RateLimit-Reset-Apixxx_login_anonymous: 0
< X-xxxxx-xxx: xxxxx.xxx
< Date: Thu, 27 Aug 2020 19:50:12 GMT
< Expires: 0
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="Please login with your Windows account"
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Strict-Transport-Security: max-age=xxx ; includeSubDomains
< TraceId: 5f480e7427f78fd5406fcbef0abf8e6c
< X-Content-Type-Options: nosniff
< Transfer-Encoding: chunked
<
* Ignoring the response-body
* Connection #0 to host xxx.xxx left intact
* Issue another request to this URL: 'https://xxx.xxx/login'
* Found bundle for host xxx.xxx: 0xxxxxxxxx [can pipeline]
* Re-using existing connection! (#0) with host xxx.xxx
* Connected to xxx.xxx (xx.xx.xxx.xx) port xxx (#0)
* Server auth using Negotiate with user ' '
> GET /login HTTP/1.1
> Host: xxx.xxx
> Authorization: Negotiate xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 814
* schannel: encrypted data buffer: offset 814 length 103424
* schannel: decrypted data length: 751
* schannel: decrypted data added: 751
* schannel: decrypted data cached: offset 751 length 102400
* schannel: encrypted data length: 34
* schannel: encrypted data cached: offset 34 length 103424
* schannel: decrypted data length: 5
* schannel: decrypted data added: 5
* schannel: decrypted data cached: offset 756 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 756 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 756
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 401
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Application-Context: Apixxx:xxxxxxxxxxxxxxxx:x
< X-RateLimit-Limit-Apixxx_login_anonymous: 1000
< X-RateLimit-Remaining-Apixxx_login_anonymous: 999
< X-RateLimit-Reset-Apixxx_login_anonymous: 0
< X-XXXX-xxx: xxxx.xxx
< Date: Thu, 27 Aug 2020 19:50:12 GMT
< Expires: 0
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Strict-Transport-Security: max-age=xxx ; includeSubDomains
< TraceId: xxxxxxxxxxxxxxxxxxxxxxxxxxx
< X-Content-Type-Options: nosniff
< Transfer-Encoding: chunked
<
* Connection #0 to host xxx.xxx left intact
>curl --version
curl 7.55.1 (Windows) libcurl/7.55.1 WinSSL
Release-Date: [unreleased]
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL