HADOOP-15813. Enable more reliable SSL connection reuse. Contributed by Daryn Sharp.

Signed-off-by: Wei-Chiu Chuang <weichiu@apache.org> (cherry picked from commit a87e458432609b7a35a2abd6410b02e8a2ffc974) (cherry picked from commit ae8839e6e8cc3e8f8d5e50525d3302038ada484b) (cherry picked from commit 704330a616c17256b3e39370f999928ba1c463e6)
2019-02-20 18:13:53 -08:00 · 2019-02-20 18:13:53 -08:00 · 4eccf2a3cc
commit 4eccf2a3cc
parent bebbdd290e
1 changed files with 8 additions and 1 deletions
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java
@ -108,6 +108,10 @@ public enum Mode { CLIENT, SERVER }
  private Mode mode;
  private boolean requireClientCert;
  private SSLContext context;
+  // the java keep-alive cache relies on instance equivalence of the SSL socket
+  // factory.  in many java versions, SSLContext#getSocketFactory always
+  // returns a new instance which completely breaks the cache...
+  private SSLSocketFactory socketFactory;
  private HostnameVerifier hostnameVerifier;
  private KeyStoresFactory keystoresFactory;

@ -178,6 +182,9 @@ public void init() throws GeneralSecurityException, IOException {
    context.init(keystoresFactory.getKeyManagers(),
                 keystoresFactory.getTrustManagers(), null);
    context.getDefaultSSLParameters().setProtocols(enabledProtocols);
+    if (mode == Mode.CLIENT) {
+      socketFactory = context.getSocketFactory();
+    }
    hostnameVerifier = getHostnameVerifier(conf);
  }

@ -298,7 +305,7 @@ public SSLSocketFactory createSSLSocketFactory()
      throw new IllegalStateException(
          "Factory is not in CLIENT mode. Actual mode is " + mode.toString());
    }
-    return context.getSocketFactory();
+    return socketFactory;
  }

  /**