[37239] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Optimizing gss_init_sec_context possible?

daemon@ATHENA.MIT.EDU (Martin Gee)
Wed Sep 23 09:24:55 2015

Date: Wed, 23 Sep 2015 13:24:41 +0000 (UTC)
From: Martin Gee <geemang_2000@yahoo.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <1479487976.231052.1443014681674.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <alpine.GSO.1.10.1509221519280.26829@multics.mit.edu>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Reply-To: Martin Gee <geemang_2000@yahoo.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit

Thanks Ben,
Yes I'm seeing the network delay. But if thats the way it works... I wondering if GSS can be tuned for keepalives etc? 


     On Tuesday, September 22, 2015 2:23 PM, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
   

 On Tue, 22 Sep 2015, Martin Gee wrote:

> Version: 1.13.2 kerb lib
> I'm using the GSS libs to impersonate a user via HTTP SPNEGO (http://tools.ietf.org/html/rfc4559)
> I use gss_init_sec_context to get a Token which is sent over to the HTTP service (see spec) in an HTTP Header. This is necessary. 
> I'm profiling my app. The gss_init_sec_context is the most expensive

gss_init_sec_context is permitted to (and frequently does) block on
network interaction before returning.  Would your profiling pick up such a
network delay?

> call.   I notice that gss_init_sec_context gives you a context handle. 
> Is it possible to reuse the context and still get a token? 

No.  The context handle is specific to a single ~session between client
and server (not an HTTP or TLS session, just a rough similarity).  Perhaps
RFC 7546 would help clarify how gss_init_sec_context is supposed to work.

-Ben

  
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home help back first fref pref prev next nref lref last post