docs: Update SPNEGO and GSS-API related doc sections

    POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP.

    POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP.

    libcurl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading,

    libcurl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading,

    kerberos, HTTP form based upload, proxies, cookies, user+password

    Kerberos, SPNEGO, HTTP form based upload, proxies, cookies, user+password

    authentication, file transfer resume, http proxy tunneling and more!

    authentication, file transfer resume, http proxy tunneling and more!

    libcurl is highly portable, it builds and works identically on numerous

    libcurl is highly portable, it builds and works identically on numerous

    platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HPUX,

    platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HP-UX,

    IRIX, AIX, Tru64, Linux, UnixWare, HURD, Windows, Amiga, OS/2, BeOS, Mac

    IRIX, AIX, Tru64, Linux, UnixWare, HURD, Windows, Amiga, OS/2, BeOS, Mac

    OS X, Ultrix, QNX, OpenVMS, RISC OS, Novell NetWare, DOS, Symbian, OSF,

    OS X, Ultrix, QNX, OpenVMS, RISC OS, Novell NetWare, DOS, Symbian, OSF,

    Android, Minix, IBM TPF and more...

    Android, Minix, IBM TPF and more...

 - POST

 - POST

 - Pipelining

 - Pipelining

 - multipart formpost (RFC1867-style)

 - multipart formpost (RFC1867-style)

 - authentication: Basic, Digest, NTLM (*9), Negotiate (*3) and to server and

 - authentication: Basic, Digest, NTLM (*9) and Negotiate (SPNEGO) (*3)

   proxy

   to server and proxy

 - resume (both GET and PUT)

 - resume (both GET and PUT)

 - follow redirects

 - follow redirects

 - maximum amount of redirects to follow

 - maximum amount of redirects to follow

 - download

 - download

 - authentication

 - authentication

 - kerberos4 (*5)

 - kerberos4 (*5)

 - kerberos5 (*3)

 - Kerberos 5 (*14)

 - active/passive using PORT, EPRT, PASV or EPSV

 - active/passive using PORT, EPRT, PASV or EPSV

 - single file size information (compare to HTTP HEAD)

 - single file size information (compare to HTTP HEAD)

 - 'type=' URL support

 - 'type=' URL support

  *1 = requires OpenSSL, GnuTLS, NSS, yassl, axTLS, PolarSSL, WinSSL (native

  *1 = requires OpenSSL, GnuTLS, NSS, yassl, axTLS, PolarSSL, WinSSL (native

       Windows), Secure Transport (native iOS/OS X) or qssl (native IBM i)

       Windows), Secure Transport (native iOS/OS X) or qssl (native IBM i)

  *2 = requires OpenLDAP

  *2 = requires OpenLDAP

  *3 = requires a GSSAPI-compliant library, such as Heimdal or similar

  *3 = requires a GSS-API implementation (such as Heimdal or MIT Kerberos) or

       SSPI (native Windows)

  *4 = requires nghttp2 and possibly a recent TLS library

  *4 = requires nghttp2 and possibly a recent TLS library

  *5 = requires a krb4 library, such as the MIT one or similar

  *5 = requires a krb4 library, such as the MIT one or similar

  *6 = requires c-ares

  *6 = requires c-ares

  *12 = requires libz

  *12 = requires libz

  *13 = requires libmetalink, and either an Apple or Microsoft operating

  *13 = requires libmetalink, and either an Apple or Microsoft operating

        system, or OpenSSL, or GnuTLS, or NSS

        system, or OpenSSL, or GnuTLS, or NSS

  *14 = requires a GSS-API implementation (such as Heimdal or MIT Kerberos)

  acknowledged after the actual TCP connect (during the SOCKS "negotiate"

  acknowledged after the actual TCP connect (during the SOCKS "negotiate"

  phase).

  phase).

10. To get HTTP Negotiate authentication to work fine, you need to provide a

10. To get HTTP Negotiate (SPNEGO) authentication to work fine, you need to

  (fake) user name (this concerns both curl and the lib) because the code

  provide a (fake) user name (this concerns both curl and the lib) because the

  wrongly only considers authentication if there's a user name provided.

  code wrongly only considers authentication if there's a user name provided.

  http://curl.haxx.se/bug/view.cgi?id=440 How?

  http://curl.haxx.se/bug/view.cgi?id=440 How?

  http://curl.haxx.se/mail/lib-2004-08/0182.html

  http://curl.haxx.se/mail/lib-2004-08/0182.html

        curl -u name:passwd http://machine.domain/full/path/to/file

        curl -u name:passwd http://machine.domain/full/path/to/file

   HTTP offers many different methods of authentication and curl supports

   HTTP offers many different methods of authentication and curl supports

   several: Basic, Digest, NTLM and Negotiate. Without telling which method to

   several: Basic, Digest, NTLM and Negotiate (SPNEGO). Without telling which

   use, curl defaults to Basic. You can also ask curl to pick the most secure

   method to use, curl defaults to Basic. You can also ask curl to pick the

   ones out of the ones that the server accepts for the given URL, by using

   most secure ones out of the ones that the server accepts for the given URL,

   --anyauth.

   by using --anyauth.

   NOTE! According to the URL specification, HTTP URLs can not contain a user

   NOTE! According to the URL specification, HTTP URLs can not contain a user

   and password, so that style will not work when using curl via a proxy, even

   and password, so that style will not work when using curl via a proxy, even

.\" *

.\" *

.\" **************************************************************************

.\" **************************************************************************

.\"

.\"

.TH curl 1 "27 July 2012" "Curl 7.27.0" "Curl Manual"

.TH curl 1 "2 Aug 2014" "Curl 7.38.0" "Curl Manual"

.SH NAME

.SH NAME

curl \- transfer a URL

curl \- transfer a URL

.SH SYNOPSIS

.SH SYNOPSIS

should be one of 'clear', 'safe', 'confidential', or 'private'. Should you use

should be one of 'clear', 'safe', 'confidential', or 'private'. Should you use

a level that is not one of these, 'private' will instead be used.

a level that is not one of these, 'private' will instead be used.

This option requires a library built with kerberos4 or GSSAPI

This option requires a library built with kerberos4 support. This is not

(GSS-Negotiate) support. This is not very common. Use \fI-V, --version\fP to

very common. Use \fI-V, --version\fP to see if your curl supports it.

see if your curl supports it.

If this option is used several times, the last one will be used.

If this option is used several times, the last one will be used.

.IP "-l, --list-only"

.IP "-l, --list-only"

\fBoptional\fP and not mandatory as the \fI--netrc\fP option does.

\fBoptional\fP and not mandatory as the \fI--netrc\fP option does.

.IP "--negotiate"

.IP "--negotiate"

(HTTP) Enables GSS-Negotiate authentication. The GSS-Negotiate method was

(HTTP) Enables Negotiate (SPNEGO) authentication.

designed by Microsoft and is used in their web applications. It is primarily

meant as a support for Kerberos5 authentication but may be also used along

with another authentication method. For more information see IETF draft

draft-brezak-spnego-http-04.txt.

If you want to enable Negotiate for your proxy authentication, then use

If you want to enable Negotiate (SPNEGO) for proxy authentication, then use

\fI--proxy-negotiate\fP.

\fI--proxy-negotiate\fP.

This option requires a library built with GSSAPI support. This is

This option requires a library built with GSS-API or SSPI support. Use \fI-V,

not very common. Use \fI-V, --version\fP to see if your version supports

--version\fP to see if your curl supports GSS-API/SSPI and SPNEGO.

GSS-Negotiate.

When using this option, you must also provide a fake \fI-u, --user\fP option to

When using this option, you must also provide a fake \fI-u, --user\fP option to

activate the authentication code properly. Sending a '-u :' is enough as the

activate the authentication code properly. Sending a '-u :' is enough as the

Tells curl to use HTTP Digest authentication when communicating with the given

Tells curl to use HTTP Digest authentication when communicating with the given

proxy. Use \fI--digest\fP for enabling HTTP Digest with a remote host.

proxy. Use \fI--digest\fP for enabling HTTP Digest with a remote host.

.IP "--proxy-negotiate"

.IP "--proxy-negotiate"

Tells curl to use HTTP Negotiate authentication when communicating

Tells curl to use HTTP Negotiate (SPNEGO) authentication when communicating

with the given proxy. Use \fI--negotiate\fP for enabling HTTP Negotiate

with the given proxy. Use \fI--negotiate\fP for enabling HTTP Negotiate (SPNEGO)

with a remote host. (Added in 7.17.1)

with a remote host. (Added in 7.17.1)

.IP "--proxy-ntlm"

.IP "--proxy-ntlm"

Tells curl to use HTTP NTLM authentication when communicating with the given

Tells curl to use HTTP NTLM authentication when communicating with the given

sockd/real-name would use sockd/real-name for cases where the proxy-name does

sockd/real-name would use sockd/real-name for cases where the proxy-name does

not match the principal name.  (Added in 7.19.4).

not match the principal name.  (Added in 7.19.4).

.IP "--socks5-gssapi-nec"

.IP "--socks5-gssapi-nec"

As part of the gssapi negotiation a protection mode is negotiated. RFC 1961

As part of the GSS-API negotiation a protection mode is negotiated. RFC 1961

says in section 4.3/4.4 it should be protected, but the NEC reference

says in section 4.3/4.4 it should be protected, but the NEC reference

implementation does not.  The option \fI--socks5-gssapi-nec\fP allows the

implementation does not.  The option \fI--socks5-gssapi-nec\fP allows the

unprotected exchange of the protection mode negotiation. (Added in 7.19.4).

unprotected exchange of the protection mode negotiation. (Added in 7.19.4).

Automatic decompression of compressed files over HTTP is supported.

Automatic decompression of compressed files over HTTP is supported.

.IP "NTLM"

.IP "NTLM"

NTLM authentication is supported.

NTLM authentication is supported.

.IP "GSS-Negotiate"

Negotiate authentication and krb5 for FTP is supported.

.IP "Debug"

.IP "Debug"

This curl uses a libcurl built with Debug. This enables more error-tracking

This curl uses a libcurl built with Debug. This enables more error-tracking

and memory debugging etc. For curl-developers only!

and memory debugging etc. For curl-developers only!

.IP "AsynchDNS"

.IP "AsynchDNS"

This curl uses asynchronous name resolves.

This curl uses asynchronous name resolves.

.IP "SPNEGO"

.IP "SPNEGO"

SPNEGO Negotiate authentication is supported.

SPNEGO authentication is supported.

.IP "Largefile"

.IP "Largefile"

This curl supports transfers of large files, files larger than 2GB.

This curl supports transfers of large files, files larger than 2GB.

.IP "IDN"

.IP "IDN"

This curl supports IDN - international domain names.

This curl supports IDN - international domain names.

.IP "GSS-API"

GSS-API is supported.

.IP "SSPI"

.IP "SSPI"

SSPI is supported. If you use Negotiate or NTLM authentication and set a blank

SSPI is supported.

user name, curl will authenticate with your current user and password.

.IP "TLS-SRP"

.IP "TLS-SRP"

SRP (Secure Remote Password) authentication is supported for TLS.

SRP (Secure Remote Password) authentication is supported for TLS.

.IP "Metalink"

.IP "Metalink"