410995 - Avoid reverse DNS lookups when creating SSLEngines.

Now using the host address, unless needClientAuth is true.
This commit is contained in:
Simone Bordet 2013-06-18 10:58:09 +02:00
parent 9240039366
commit f7c9d5424d
1 changed files with 41 additions and 2 deletions

View File

@ -1303,6 +1303,15 @@ public class SslContextFactory extends AbstractLifeCycle
return socket; return socket;
} }
/**
* Factory method for "scratch" {@link SSLEngine}s, usually only used for retrieving configuration
* information such as the application buffer size or the list of protocols/ciphers.
* <p />
* This method should not be used for creating {@link SSLEngine}s that are used in actual socket
* communication.
*
* @return a new, "scratch" {@link SSLEngine}
*/
public SSLEngine newSSLEngine() public SSLEngine newSSLEngine()
{ {
if (!isRunning()) if (!isRunning())
@ -1312,6 +1321,14 @@ public class SslContextFactory extends AbstractLifeCycle
return sslEngine; return sslEngine;
} }
/**
* General purpose factory method for creating {@link SSLEngine}s, although creation of
* {@link SSLEngine}s on the server-side should prefer {@link #newSSLEngine(InetSocketAddress)}.
*
* @param host the remote host
* @param port the remote port
* @return a new {@link SSLEngine}
*/
public SSLEngine newSSLEngine(String host, int port) public SSLEngine newSSLEngine(String host, int port)
{ {
if (!isRunning()) if (!isRunning())
@ -1323,10 +1340,32 @@ public class SslContextFactory extends AbstractLifeCycle
return sslEngine; return sslEngine;
} }
/**
* Server-side only factory method for creating {@link SSLEngine}s.
* <p />
* If the given {@code address} is null, it is equivalent to {@link #newSSLEngine()}, otherwise
* {@link #newSSLEngine(String, int)} is called.
* <p />
* If {@link #getNeedClientAuth()} is {@code true}, then the host name is passed to
* {@link #newSSLEngine(String, int)}, possibly incurring in a reverse DNS lookup, which takes time
* and may hang the selector (since this method is usually called by the selector thread).
* <p />
* Otherwise, the host address is passed to {@link #newSSLEngine(String, int)} without DNS lookup
* penalties.
* <p />
* Clients that wish to create {@link SSLEngine} instances must use {@link #newSSLEngine(String, int)}.
*
* @param address the remote peer address
* @return a new {@link SSLEngine}
*/
public SSLEngine newSSLEngine(InetSocketAddress address) public SSLEngine newSSLEngine(InetSocketAddress address)
{ {
// Must use the hostName, not the hostAddress, to allow correct host name verification if (address == null)
return address != null ? newSSLEngine(address.getAddress().getHostName(), address.getPort()) : newSSLEngine(); return newSSLEngine();
boolean useHostName = getNeedClientAuth();
String hostName = useHostName ? address.getHostName() : address.getAddress().getHostAddress();
return newSSLEngine(hostName, address.getPort());
} }
public void customize(SSLEngine sslEngine) public void customize(SSLEngine sslEngine)