SSPI Schannel API - Can credential handles be re-used?

Question

I am currently adding SSPI Schannel API support to libcurl in order to make it possible to use SSL enabled protocols on Windows without any external dependency, such as OpenSSL.

I already have a working SSL/TLS implementation, but I have a very specific question regarding the re-use of credential handles returned by the function AcquireCredentialsHandle.

Is it correct and possible to re-use SSL/TLS sessions by instead of creating a new handle, re-using an existing one and passing it to InitializeSecurityContext multiple times?

My work on the Schannel module for libcurl can be found here, and the experimental version that tries to re-use can be found here.

I would appreciate any kind of hint or feedback on this one. So, can credential handles be re-used in such a way? And is it correct?

Thanks in advance!

Answer 1

I found the answer to my question and record it here for others:

1. It has been asked before and a first answer can be found here.
2. The following information can be found on this MSDN page:

Your application obtains credentials by calling the AcquireCredentialsHandle function, which returns a handle to the requested credentials. Because credentials handles are used to store configuration information, the same handle cannot be used for both client-side and server-side operations. This means that applications that support both client and server connections must obtain a minimum of two credentials handles.

Therefore it can be assumed safe to re-use the same credential handle for multiple connections. And I verified that it indeed makes Schannel re-use the SSL/TLS session. This has been tested on Windows 7 Professional SP1.