[ https://issues.apache.org/jira/browse/HTTPCORE-357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13800633#comment-13800633 ]
Isaac Cruz Ballesteros commented on HTTPCORE-357: ------------------------------------------------- Oleg, I've read the complete story behind SNI. I don't know if the #createSSLEngine with hostname parameters is any useful for SNI support, by the javadoc I wouldn't think so. But this SNI as far as I know is only for the client part: you want the client to send the server name during handshake, but my problem is in the server side, and I don't think it's useful for a server to know the hostname of a client... or if it is, it should be outside in the application rather than in the library. So maybe a simple solution could be something like: if (address instanceof InetSocketAddress && defaultMode == SSLMode.CLIENT) { String hostname = ((InetSocketAddress) address).getHostName(); int port = ((InetSocketAddress) address).getPort(); this.sslEngine = sslContext.createSSLEngine(hostname, port); } else { this.sslEngine = sslContext.createSSLEngine(); } > Option to disable DNS lookup on SSLIOSession > -------------------------------------------- > > Key: HTTPCORE-357 > URL: https://issues.apache.org/jira/browse/HTTPCORE-357 > Project: HttpComponents HttpCore > Issue Type: Improvement > Components: HttpCore NIO > Affects Versions: 4.3 > Reporter: Isaac Cruz Ballesteros > Fix For: 4.4 > > > The class org.apache.http.nio.reactor.ssl.SSLIOSession is performing a DNS > lookup in line 125: > if (address instanceof InetSocketAddress) { > String hostname = ((InetSocketAddress) address).getHostName(); > int port = ((InetSocketAddress) address).getPort(); > this.sslEngine = sslContext.createSSLEngine(hostname, port); > } else { > this.sslEngine = sslContext.createSSLEngine(); > } > This lookup is not necessary to create the SSL engine (the method without > parameters works the same), and it causes performance issues if the DNS > server configured is not very fast. In my case, using a single thread, when > receiving 50 requests at the same time, the SSL handshake takes more than two > minutes and the clients are timing out. Checking the java thread stack, the > thread is always stuck on this lookup, waiting for the DNS server which > sometimes takes around 4 seconds to answer. > When not using SSL there's no lookup so everything works. > If this lookup makes sense in some cases (I don't know much on SSL > internals), maybe there should be an option to disable the lookup -- This message was sent by Atlassian JIRA (v6.1#6144) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org