Optimizing gss_init_sec_context possible?

Benjamin Kaduk kaduk at MIT.EDU
Tue Sep 22 15:23:28 EDT 2015


On Tue, 22 Sep 2015, Martin Gee wrote:

> Version: 1.13.2 kerb lib
> I'm using the GSS libs to impersonate a user via HTTP SPNEGO (http://tools.ietf.org/html/rfc4559)
> I use gss_init_sec_context to get a Token which is sent over to the HTTP service (see spec) in an HTTP Header. This is necessary. 
> I'm profiling my app. The gss_init_sec_context is the most expensive

gss_init_sec_context is permitted to (and frequently does) block on
network interaction before returning.  Would your profiling pick up such a
network delay?

> call.   I notice that gss_init_sec_context gives you a context handle. 
> Is it possible to reuse the context and still get a token? 

No.  The context handle is specific to a single ~session between client
and server (not an HTTP or TLS session, just a rough similarity).  Perhaps
RFC 7546 would help clarify how gss_init_sec_context is supposed to work.

-Ben


More information about the Kerberos mailing list