diff --git a/SOURCES/gssproxy_ticket_147_0001-Add-PIE-and-RELRO-compiler-flags-for-hardening.patch b/SOURCES/gssproxy_ticket_147_0001-Add-PIE-and-RELRO-compiler-flags-for-hardening.patch
deleted file mode 100644
index 7d199ed..0000000
--- a/SOURCES/gssproxy_ticket_147_0001-Add-PIE-and-RELRO-compiler-flags-for-hardening.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 0f33846367ea29d06c30a8b881675dfc2fb8892c Mon Sep 17 00:00:00 2001
-From: Roland Mainz <rmainz@redhat.com>
-Date: Thu, 7 May 2015 20:21:21 +0200
-Subject: [PATCH] Add PIE and RELRO compiler flags for hardening
-
-Add PIE (=position independent code) and RELRO (=read-only jump
-tables and relocation addresses) compiler flags for hardening.
-
-Fixes: https://fedorahosted.org/gss-proxy/ticket/147
-Signed-off-by: Roland Mainz <rmainz@redhat.com>
-Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
-Reviewed-by: Lukas Slebodnik <lslebodn@redhat.com>
----
- proxy/Makefile.am | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/proxy/Makefile.am b/proxy/Makefile.am
-index 821362502483f046c46209c16ef422d796c4b384..39674f6764da914f5d54d68672b6b1bcd4247f8f 100644
---- a/proxy/Makefile.am
-+++ b/proxy/Makefile.am
-@@ -31,6 +31,10 @@ pkgconfigdir = $(libdir)/pkgconfig
- gpstatedir = @gpstatedir@
- gpclidir = @gpstatedir@/clients
- 
-+# Flags for hardening (separated out so we can override them for testing)
-+PIE_CFLAGS	= -fPIE
-+RELRO_CFLAGS	= -Wl,-z,relro,-z,now
-+
- AM_CFLAGS =
- if WANT_AUX_INFO
-     AM_CFLAGS += -aux-info $@.X
-@@ -41,7 +45,8 @@ if HAVE_GCC
-     AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \
-                  -Wcast-qual -Wcast-align -Wwrite-strings \
-                  -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
--                 -Werror-implicit-function-declaration
-+                 -Werror-implicit-function-declaration \
-+                 $(PIE_CFLAGS) $(RELRO_CFLAGS)
- endif
- 
- dist_pkgconfig_DATA =
--- 
-2.4.0
-
diff --git a/SOURCES/gssproxy_ticket_155-krb5_principal.patch b/SOURCES/gssproxy_ticket_155-krb5_principal.patch
new file mode 100644
index 0000000..04ca732
--- /dev/null
+++ b/SOURCES/gssproxy_ticket_155-krb5_principal.patch
@@ -0,0 +1,49 @@
+From 41c8b2631fdd09b1e97e341838c71ffd11033133 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 15 Apr 2016 12:04:48 -0400
+Subject: [PATCH] Implement the krb5_principal option
+
+The krb5_principal option was defined and documented but not actually used.
+Implement it's use when a service keytab is provided.
+
+Ticket: https://fedorahosted.org/gss-proxy/ticket/155
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+
+[rharwood@redhat.com adjust macros for backport]
+---
+ proxy/src/gp_creds.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
+index 255200c..551b020 100644
+--- a/proxy/src/gp_creds.c
++++ b/proxy/src/gp_creds.c
+@@ -325,6 +325,23 @@ static int gp_get_cred_environment(struct gp_call_ctx *gpcall,
+         }
+     }
+ 
++    if (use_service_keytab &&
++        (*requested_name == GSS_C_NO_NAME) && (svc->krb5.principal)) {
++        /* configuration dictates to use a specific name */
++        gss_buffer_desc const_buf;
++        const_buf.value = svc->krb5.principal;
++        const_buf.length = strlen(svc->krb5.principal) + 1;
++
++        ret_maj = gss_import_name(&ret_min, &const_buf,
++                                  (void *)(uintptr_t)GSS_KRB5_NT_PRINCIPAL_NAME,
++                                  requested_name);
++        if (ret_maj) {
++            GPERROR("Failed to import krb5_principal name %s\n",
++                    svc->krb5.principal);
++            goto done;
++        }
++    }
++
+     if (svc->krb5.cred_store == NULL) {
+         return 0;
+     }
+-- 
+2.8.1
+
diff --git a/SOURCES/krb5-1.14-inquire_attrs_accept_null.patch b/SOURCES/krb5-1.14-inquire_attrs_accept_null.patch
new file mode 100644
index 0000000..97cd609
--- /dev/null
+++ b/SOURCES/krb5-1.14-inquire_attrs_accept_null.patch
@@ -0,0 +1,82 @@
+From 14e33b725c991d6c500ca93e241ed64e1a755843 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 16 Dec 2015 17:48:11 -0500
+Subject: [PATCH 2/2] Fix for gss_inquire_attrs_for_mech accepting NULLs
+
+As per rfc5587, gss_inquire_attrs_for_mech must accept NULL mech_attrs
+and known_mech_attrs arguments.  Up until 1.14, MIT krb5 was not ever
+passing NULLs in these fields.
+
+This fixes an interposer loop (and subsequent segmentation fault) due
+to our previous assumption that these arguments not be NULL.
+
+See also: https://tools.ietf.org/html/rfc5587#section-3.4.3
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Reviewed-by: Simo Sorce <simo@redhat.com>
+---
+ proxy/src/client/gpm_indicate_mechs.c | 38 ++++++++++++++++++++---------------
+ 1 file changed, 22 insertions(+), 16 deletions(-)
+
+diff --git a/proxy/src/client/gpm_indicate_mechs.c b/proxy/src/client/gpm_indicate_mechs.c
+index 35ce3bb..d4df923 100644
+--- a/proxy/src/client/gpm_indicate_mechs.c
++++ b/proxy/src/client/gpm_indicate_mechs.c
+@@ -444,10 +444,6 @@ OM_uint32 gpm_inquire_attrs_for_mech(OM_uint32 *minor_status,
+     if (!minor_status) {
+         return GSS_S_CALL_INACCESSIBLE_WRITE;
+     }
+-    if (!mech_attrs || !known_mech_attrs) {
+-        *minor_status = 0;
+-        return GSS_S_CALL_INACCESSIBLE_WRITE;
+-    }
+ 
+     ret_min = gpmint_init_global_mechs();
+     if (ret_min) {
+@@ -459,21 +455,31 @@ OM_uint32 gpm_inquire_attrs_for_mech(OM_uint32 *minor_status,
+         if (!gpm_equal_oids(global_mechs.info[i].mech, mech)) {
+             continue;
+         }
+-        ret_maj = gpm_copy_gss_OID_set(&ret_min,
+-                                       global_mechs.info[i].mech_attrs,
+-                                       mech_attrs);
+-        if (ret_maj) {
++
++        if (mech_attrs != NULL) {
++            ret_maj = gpm_copy_gss_OID_set(&ret_min,
++                                           global_mechs.info[i].mech_attrs,
++                                           mech_attrs);
++            if (ret_maj) {
++                *minor_status = ret_min;
++                return ret_maj;
++            }
++        }
++
++        if (known_mech_attrs != NULL) {
++            ret_maj = gpm_copy_gss_OID_set(&ret_min,
++                                           global_mechs.info[i].known_mech_attrs,
++                                           known_mech_attrs);
++            if (ret_maj) {
++                gss_release_oid_set(&discard, known_mech_attrs);
++            }
+             *minor_status = ret_min;
+             return ret_maj;
+         }
+-        ret_maj = gpm_copy_gss_OID_set(&ret_min,
+-                                       global_mechs.info[i].known_mech_attrs,
+-                                       known_mech_attrs);
+-        if (ret_maj) {
+-            gss_release_oid_set(&discard, known_mech_attrs);
+-        }
+-        *minor_status = ret_min;
+-        return ret_maj;
++
++        /* all requested attributes copied successfully */
++        *minor_status = 0;
++        return GSS_S_COMPLETE;
+     }
+ 
+     *minor_status = 0;
+-- 
+2.6.4
+
diff --git a/SOURCES/krb5-1.14-inquire_context_no_name.patch b/SOURCES/krb5-1.14-inquire_context_no_name.patch
new file mode 100644
index 0000000..865d301
--- /dev/null
+++ b/SOURCES/krb5-1.14-inquire_context_no_name.patch
@@ -0,0 +1,48 @@
+From 14ecfa9fe9e843bdb2eb09c60a5ec592c8de4cdc Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 14 Dec 2015 17:38:36 -0500
+Subject: [PATCH 1/2] Since krb5 1.14 inquire_context may return no name
+
+In 1.14 a patch to more officially support partially established contexts
+has been intrdouced. With this patch names are not returned.
+
+Cope with that by checking if a name is provided before trying to convert.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+---
+ proxy/src/gp_export.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/proxy/src/gp_export.c b/proxy/src/gp_export.c
+index 0ef3128..3b9a23b 100644
+--- a/proxy/src/gp_export.c
++++ b/proxy/src/gp_export.c
+@@ -526,14 +526,18 @@ uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type, gss_OID mech,
+         goto done;
+     }
+ 
+-    ret_maj = gp_conv_name_to_gssx(&ret_min, src_name, &out->src_name);
+-    if (ret_maj) {
+-        goto done;
++    if (src_name != GSS_C_NO_NAME) {
++        ret_maj = gp_conv_name_to_gssx(&ret_min, src_name, &out->src_name);
++        if (ret_maj) {
++            goto done;
++        }
+     }
+ 
+-    ret_maj = gp_conv_name_to_gssx(&ret_min, targ_name, &out->targ_name);
+-    if (ret_maj) {
+-        goto done;
++    if (targ_name != GSS_C_NO_NAME) {
++        ret_maj = gp_conv_name_to_gssx(&ret_min, targ_name, &out->targ_name);
++        if (ret_maj) {
++            goto done;
++        }
+     }
+ 
+     out->lifetime = lifetime_rec;
+-- 
+2.6.4
+
diff --git a/SPECS/gssproxy.spec b/SPECS/gssproxy.spec
index b86a1b0..0d5670c 100644
--- a/SPECS/gssproxy.spec
+++ b/SPECS/gssproxy.spec
@@ -1,6 +1,6 @@
 Name:		gssproxy
 Version:	0.4.1
-Release:	8%{?dist}
+Release:	13%{?dist}
 Summary:	GSSAPI Proxy
 
 Group:		System Environment/Libraries
@@ -15,11 +15,13 @@ BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 ### Patches ###
 Patch1: gssproxy_ticket_140_0001-bug-140-Remove-fno-strict-aliasing.patch
-Patch2: gssproxy_ticket_147_0001-Add-PIE-and-RELRO-compiler-flags-for-hardening.patch
 Patch3: gssproxy_ticket_145_130-Set-default-rcache.patch
 Patch4: gssproxy_ticket_143_workaround_Service-HTTP.patch
 Patch5: 0001-Correct-handling-of-EINTR-on-read-write.patch
+Patch6: krb5-1.14-inquire_context_no_name.patch
+Patch7: krb5-1.14-inquire_attrs_accept_null.patch
 Patch8: gssproxy-0.5.1-socket_permission_checking.patch
+Patch9: gssproxy_ticket_155-krb5_principal.patch
 
 ### Dependencies ###
 
@@ -62,11 +64,13 @@ A proxy for GSSAPI credential handling
 %setup -q
 
 %patch1 -p2 -b .gssproxy_ticket_140_0001-bug-140-remove-fno-strict-aliasing
-%patch2 -p2 -b .gssproxy_ticket_147_0001-add-pie-and-relro-compiler-flags-for-hardening
 %patch3 -p2 -b .gssproxy_ticket_145_130-set-default-rcache
 %patch4 -p2 -b .gssproxy_ticket_143_workaround_service-http
 %patch5 -p2 -b .gssproxy_EINTR_loop_fix
+%patch6 -p2 -b .inquire_context_no_name
+%patch7 -p2 -b .inquire_attrs_accept_null
 %patch8 -p2 -b .socket_permission_checking
+%patch9 -p2 -b .gssproxy_ticket_155-krb5_principal.patch
 
 %build
 autoreconf -f -i
@@ -75,7 +79,9 @@ autoreconf -f -i
     --with-initscript=systemd \
     --disable-static \
     --disable-rpath \
-    --with-gpp-default-behavior=REMOTE_FIRST
+    --with-gpp-default-behavior=REMOTE_FIRST \
+    CFLAGS="$CFLAGS -fPIE -fstack-protector-all" \
+    LDFLAGS="$LDFLAGS -fPIE -pie -Wl,-z,now"
 make %{?_smp_mflags} all
 make test_proxymech
 
@@ -123,9 +129,29 @@ rm -rf -- "%{buildroot}"
 
 
 %changelog
-* Tue Jun 07 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-8
+* Tue Sep 06 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-13
+- Third try is the charm
+- Resolves: #1092515
+
+* Tue Sep 06 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-12
+- Restore _FORTIFY_SOURCE behavior
+- Resolves: #1092515
+
+* Tue Sep 06 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-11
+- Actually harden build with PIE and RELRO
+- Resolves: #1092515
+
+* Fri Jun 10 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-10
+- Fix behavior with multiple keys in a keytab
+- Resolves: #1285012
+
+* Tue Jun 07 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-9
 - Re-open socket in mechglue if client forks/changes privilege
-- Resolves: #1351318
+- Resolves: #1340259
+
+* Wed Mar 30 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-8
+- Make GSS-Proxy work with krb5-1.14
+- resolves: #1292487
 
 * Tue Sep 29 2015 Simo Sorce <simo@redhat.com> 0.4.1-7
 - Fix loop cause by imporper EINTR handling