From f7c9d5424d9b38da6f68a653581cc44e0e9d9eef Mon Sep 17 00:00:00 2001
From: Simone Bordet <simone.bordet@gmail.com>
Date: Tue, 18 Jun 2013 10:58:09 +0200
Subject: [PATCH] 410995 - Avoid reverse DNS lookups when creating SSLEngines.

Now using the host address, unless needClientAuth is true.
---
 .../jetty/util/ssl/SslContextFactory.java     | 43 ++++++++++++++++++-
 1 file changed, 41 insertions(+), 2 deletions(-)

diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
index f0ff187bb0e..9869566234a 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
@@ -1303,6 +1303,15 @@ public class SslContextFactory extends AbstractLifeCycle
         return socket;
     }
 
+    /**
+     * Factory method for "scratch" {@link SSLEngine}s, usually only used for retrieving configuration
+     * information such as the application buffer size or the list of protocols/ciphers.
+     * <p />
+     * This method should not be used for creating {@link SSLEngine}s that are used in actual socket
+     * communication.
+     *
+     * @return a new, "scratch" {@link SSLEngine}
+     */
     public SSLEngine newSSLEngine()
     {
         if (!isRunning())
@@ -1312,6 +1321,14 @@ public class SslContextFactory extends AbstractLifeCycle
         return sslEngine;
     }
 
+    /**
+     * General purpose factory method for creating {@link SSLEngine}s, although creation of
+     * {@link SSLEngine}s on the server-side should prefer {@link #newSSLEngine(InetSocketAddress)}.
+     *
+     * @param host the remote host
+     * @param port the remote port
+     * @return a new {@link SSLEngine}
+     */
     public SSLEngine newSSLEngine(String host, int port)
     {
         if (!isRunning())
@@ -1323,10 +1340,32 @@ public class SslContextFactory extends AbstractLifeCycle
         return sslEngine;
     }
 
+    /**
+     * Server-side only factory method for creating {@link SSLEngine}s.
+     * <p />
+     * If the given {@code address} is null, it is equivalent to {@link #newSSLEngine()}, otherwise
+     * {@link #newSSLEngine(String, int)} is called.
+     * <p />
+     * If {@link #getNeedClientAuth()} is {@code true}, then the host name is passed to
+     * {@link #newSSLEngine(String, int)}, possibly incurring in a reverse DNS lookup, which takes time
+     * and may hang the selector (since this method is usually called by the selector thread).
+     * <p />
+     * Otherwise, the host address is passed to {@link #newSSLEngine(String, int)} without DNS lookup
+     * penalties.
+     * <p />
+     * Clients that wish to create {@link SSLEngine} instances must use {@link #newSSLEngine(String, int)}.
+     *
+     * @param address the remote peer address
+     * @return a new {@link SSLEngine}
+     */
     public SSLEngine newSSLEngine(InetSocketAddress address)
     {
-        // Must use the hostName, not the hostAddress, to allow correct host name verification
-        return address != null ? newSSLEngine(address.getAddress().getHostName(), address.getPort()) : newSSLEngine();
+        if (address == null)
+            return newSSLEngine();
+
+        boolean useHostName = getNeedClientAuth();
+        String hostName = useHostName ? address.getHostName() : address.getAddress().getHostAddress();
+        return newSSLEngine(hostName, address.getPort());
     }
 
     public void customize(SSLEngine sslEngine)