diff --git a/lib/ftp.c b/lib/ftp.c
index f1376d7303821ee8afb9b606d6410ff95d6463e6..60d9517222d0594bc8906c717426af6188b41b82 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -3860,6 +3860,10 @@ static CURLcode ftp_disconnect(struct connectdata *conn)
 
   Curl_pp_disconnect(pp);
 
+#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
+  Curl_sec_end(conn);
+#endif
+
   return CURLE_OK;
 }
 
diff --git a/lib/krb5.c b/lib/krb5.c
index 28c6a2528af6ca754d9f171e2f8e0661f7faa7cc..5658bf428a29444f48b419e2c9cbbf2c0adf3b96 100644
--- a/lib/krb5.c
+++ b/lib/krb5.c
@@ -75,10 +75,19 @@
 #define LOCAL_ADDR (&conn->local_addr)
 #define REMOTE_ADDR conn->ip_addr->ai_addr
 
+static int
+krb5_init(void *app_data)
+{
+  gss_ctx_id_t *context = app_data;
+  /* Make sure our context is initialized for krb5_end. */
+  *context = GSS_C_NO_CONTEXT;
+  return 0;
+}
+
 static int
 krb5_check_prot(void *app_data, int level)
 {
-  app_data = NULL; /* prevent compiler warning */
+  (void)app_data; /* unused */
   if(level == prot_confidential)
     return -1;
   return 0;
@@ -309,12 +318,22 @@ krb5_auth(void *app_data, struct connectdata *conn)
   }
 }
 
+static void krb5_end(void *app_data)
+{
+    OM_uint32 maj, min;
+    gss_ctx_id_t *context = app_data;
+    if (*context != GSS_C_NO_CONTEXT) {
+      maj = gss_delete_sec_context(&min, context, GSS_C_NO_BUFFER);
+      DEBUGASSERT(maj == GSS_S_COMPLETE);
+    }
+}
+
 struct Curl_sec_client_mech Curl_krb5_client_mech = {
     "GSSAPI",
     sizeof(gss_ctx_id_t),
-    NULL, /* init */
+    krb5_init,
     krb5_auth,
-    NULL, /* end */
+    krb5_end,
     krb5_check_prot,
     krb5_overhead,
     krb5_encode,