qianye1001 opened a new issue, #10395: URL: https://github.com/apache/rocketmq/issues/10395
## Problem When TLS certificates are dynamically reloaded (e.g., via `SslContext` rebuild on certificate file change), the old `SslContext` / `SSLSessionContext` and associated native resources are not explicitly released. In the OpenSSL (netty-tcnative / BoringSSL) provider, each `SslContext` allocates off-heap native memory for the certificate chain, private key, and session cache. If the previous `SslContext` is simply dereferenced without calling `release()` / `close()`, the native memory is not freed until GC finalizes the object — which may never happen under low heap pressure, leading to a steady native memory growth proportional to the number of certificate rotations. ## Expected Behavior When a new certificate is loaded and a new `SslContext` is created, the old `SslContext` should be explicitly released (reference-counted release for `ReferenceCounted` implementations) to free native memory immediately. ## Suggested Fix After replacing the `SslContext` reference, call `ReferenceCountUtil.release(oldSslContext)` (or `oldSslContext.close()` for JDK provider compatibility) to ensure native resources are reclaimed promptly. Additionally, ensure any in-flight connections using the old context are drained or that the release is deferred until active channels using the old context are closed. ## Environment - Affects: Broker / Proxy / NameServer with TLS enabled and certificate hot-reload - SSL Provider: OpenSSL (netty-tcnative) - Observed: Native memory (RSS) grows monotonically on each certificate rotation cycle -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
