You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Isaac Cruz Ballesteros (JIRA)" <ji...@apache.org> on 2013/10/21 15:04:42 UTC
[jira] [Commented] (HTTPCORE-357) Option to disable DNS lookup on
SSLIOSession
[ https://issues.apache.org/jira/browse/HTTPCORE-357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13800633#comment-13800633 ]
Isaac Cruz Ballesteros commented on HTTPCORE-357:
-------------------------------------------------
Oleg,
I've read the complete story behind SNI. I don't know if the #createSSLEngine with hostname parameters is any useful for SNI support, by the javadoc I wouldn't think so. But this SNI as far as I know is only for the client part: you want the client to send the server name during handshake, but my problem is in the server side, and I don't think it's useful for a server to know the hostname of a client... or if it is, it should be outside in the application rather than in the library.
So maybe a simple solution could be something like:
if (address instanceof InetSocketAddress && defaultMode == SSLMode.CLIENT) {
String hostname = ((InetSocketAddress) address).getHostName();
int port = ((InetSocketAddress) address).getPort();
this.sslEngine = sslContext.createSSLEngine(hostname, port);
} else {
this.sslEngine = sslContext.createSSLEngine();
}
> Option to disable DNS lookup on SSLIOSession
> --------------------------------------------
>
> Key: HTTPCORE-357
> URL: https://issues.apache.org/jira/browse/HTTPCORE-357
> Project: HttpComponents HttpCore
> Issue Type: Improvement
> Components: HttpCore NIO
> Affects Versions: 4.3
> Reporter: Isaac Cruz Ballesteros
> Fix For: 4.4
>
>
> The class org.apache.http.nio.reactor.ssl.SSLIOSession is performing a DNS lookup in line 125:
> if (address instanceof InetSocketAddress) {
> String hostname = ((InetSocketAddress) address).getHostName();
> int port = ((InetSocketAddress) address).getPort();
> this.sslEngine = sslContext.createSSLEngine(hostname, port);
> } else {
> this.sslEngine = sslContext.createSSLEngine();
> }
> This lookup is not necessary to create the SSL engine (the method without parameters works the same), and it causes performance issues if the DNS server configured is not very fast. In my case, using a single thread, when receiving 50 requests at the same time, the SSL handshake takes more than two minutes and the clients are timing out. Checking the java thread stack, the thread is always stuck on this lookup, waiting for the DNS server which sometimes takes around 4 seconds to answer.
> When not using SSL there's no lookup so everything works.
> If this lookup makes sense in some cases (I don't know much on SSL internals), maybe there should be an option to disable the lookup
--
This message was sent by Atlassian JIRA
(v6.1#6144)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org