qianye1001 opened a new issue, #10395:
URL: https://github.com/apache/rocketmq/issues/10395

   ## Problem
   
   When TLS certificates are dynamically reloaded (e.g., via `SslContext` 
rebuild on certificate file change), the old `SslContext` / `SSLSessionContext` 
and associated native resources are not explicitly released.
   
   In the OpenSSL (netty-tcnative / BoringSSL) provider, each `SslContext` 
allocates off-heap native memory for the certificate chain, private key, and 
session cache. If the previous `SslContext` is simply dereferenced without 
calling `release()` / `close()`, the native memory is not freed until GC 
finalizes the object — which may never happen under low heap pressure, leading 
to a steady native memory growth proportional to the number of certificate 
rotations.
   
   ## Expected Behavior
   
   When a new certificate is loaded and a new `SslContext` is created, the old 
`SslContext` should be explicitly released (reference-counted release for 
`ReferenceCounted` implementations) to free native memory immediately.
   
   ## Suggested Fix
   
   After replacing the `SslContext` reference, call 
`ReferenceCountUtil.release(oldSslContext)` (or `oldSslContext.close()` for JDK 
provider compatibility) to ensure native resources are reclaimed promptly.
   
   Additionally, ensure any in-flight connections using the old context are 
drained or that the release is deferred until active channels using the old 
context are closed.
   
   ## Environment
   
   - Affects: Broker / Proxy / NameServer with TLS enabled and certificate 
hot-reload
   - SSL Provider: OpenSSL (netty-tcnative)
   - Observed: Native memory (RSS) grows monotonically on each certificate 
rotation cycle


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to