Hi, On Mon, 27 Feb 2017, Junio C Hamano wrote: > Jeff King <peff@xxxxxxxx> writes: > > > The auto mode may incur an extra round-trip over setting > > http.emptyauth=true, because part of the emptyauth hack is to feed > > this blank password to curl even before we've made a single request. > > IOW, people who care about an extra round-trip have this workaround, > which is good. > > This, along with the possible security implications, may want to be > added to the documentation but that is outside the topic of this change, > and I think we would want to see such an update come from those who > actually use NTLM (or Kerberos, but they know they have minimum security > implications). > > > +#ifndef LIBCURL_CAN_HANDLE_AUTH_ANY + /* + * Our libcurl is > > too old to do AUTH_ANY in the first place; + * just default to > > turning the feature off. + */ +#else + /* + * In the > > automatic case, kick in the empty-auth + * hack as long as we > > would potentially try some + * method more exotic than "Basic" > > or "Digest". + * + * But only do this when this is our > > second or + * subsequent * request, as by then we know what > > I'll drop the '*' that you left while line-wrapping ;-) > > > + * methods are available. + */ > > Thanks. This looks good. I replaced the previous version in Git for Windows' `master` branch with the one in `pu`. Thanks, Johannes