Skip to content

curl on macOS with OpenSSL and GSSAPI fails Kerberos SPNEGO requests due to channel binding #19109

New issue
New issue
Closed
Closed
curl on macOS with OpenSSL and GSSAPI fails Kerberos SPNEGO requests due to channel binding#19109
Labels
appleOSspecific to an Apple operating systemknown-issue
@rsesek

Description

@rsesek
rsesek
opened on Oct 17, 2025

I did this

When building curl on macOS --with-openssl and --with-gssapi, requests to an corporate HTTP service that uses Kerberos SPNEGO for authentication fail. This does not happen when built --with-secure-transport rather than OpenSSL (which macOS's built-in curl does). OpenSSL 3.5.4 was obtained via MacPorts.

Running the curl command with -v printed this error message: gss_init_sec_context() failed: An unsupported mechanism was requested. unknown mech-code 0 for mech unknown.

I ran a git bisect between a last-known-good curl version (8.7.1) and the version in MacPorts that stopped working (8.13.0), which identified commit 0a5ea09a910e ("spnego_gssapi: implement TLS channel bindings for openssl") as the breaking change. The PR #13098 associated with that commit notes, "This change require krb5 >= 1.19, otherwise channel bindings won't be forwarded through SPNEGO."

However, macOS does not use MIT Kerberos but rather a fork of Heimdal. And while upstream Heimdal merged a PR to support channel binding, this has not been integrated into Apple's fork. It seems that macOS GSSAPI/Kerberos does not have the needed channel binding support for SPNEGO.

A potential fix might be to condition setting the channel binding data in libcurl on the presence of the GSS_C_CHANNEL_BOUND_FLAG define in the gssapi.h header.

I expected the following

No response

curl/libcurl version

Fails on both:

curl 8.10.0-DEV (aarch64-apple-darwin25.0.0) libcurl/8.10.0-DEV OpenSSL/3.5.4 zlib/1.3.1 brotli/1.1.0 zstd/1.5.7 libidn2/2.3.8 libpsl/0.21.5 nghttp2/1.67.1
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

curl 8.16.0-DEV (aarch64-apple-darwin25.0.0) libcurl/8.16.0-DEV OpenSSL/3.5.4 zlib/1.3.1 brotli/1.1.0 zstd/1.5.7 libidn2/2.3.8 libpsl/0.21.5 nghttp2/1.67.1
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

operating system

Tested on macOS 15.7.1 and 26.0.1

Darwin mactest1 25.0.0 Darwin Kernel Version 25.0.0: Wed Sep 17 21:41:50 PDT 2025; root:xnu-12377.1.9~141/RELEASE_ARM64_T6030 arm64

Metadata

Metadata

Assignees

No one assigned

    Labels

    appleOSspecific to an Apple operating systemknown-issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions