[
https://issues.apache.org/jira/browse/HTTPCORE-357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13800633#comment-13800633
]
Isaac Cruz Ballesteros commented on HTTPCORE-357:
-------------------------------------------------
Oleg,
I've read the complete story behind SNI. I don't know if the #createSSLEngine
with hostname parameters is any useful for SNI support, by the javadoc I
wouldn't think so. But this SNI as far as I know is only for the client part:
you want the client to send the server name during handshake, but my problem is
in the server side, and I don't think it's useful for a server to know the
hostname of a client... or if it is, it should be outside in the application
rather than in the library.
So maybe a simple solution could be something like:
if (address instanceof InetSocketAddress && defaultMode ==
SSLMode.CLIENT) {
String hostname = ((InetSocketAddress) address).getHostName();
int port = ((InetSocketAddress) address).getPort();
this.sslEngine = sslContext.createSSLEngine(hostname, port);
} else {
this.sslEngine = sslContext.createSSLEngine();
}
> Option to disable DNS lookup on SSLIOSession
> --------------------------------------------
>
> Key: HTTPCORE-357
> URL: https://issues.apache.org/jira/browse/HTTPCORE-357
> Project: HttpComponents HttpCore
> Issue Type: Improvement
> Components: HttpCore NIO
> Affects Versions: 4.3
> Reporter: Isaac Cruz Ballesteros
> Fix For: 4.4
>
>
> The class org.apache.http.nio.reactor.ssl.SSLIOSession is performing a DNS
> lookup in line 125:
> if (address instanceof InetSocketAddress) {
> String hostname = ((InetSocketAddress) address).getHostName();
> int port = ((InetSocketAddress) address).getPort();
> this.sslEngine = sslContext.createSSLEngine(hostname, port);
> } else {
> this.sslEngine = sslContext.createSSLEngine();
> }
> This lookup is not necessary to create the SSL engine (the method without
> parameters works the same), and it causes performance issues if the DNS
> server configured is not very fast. In my case, using a single thread, when
> receiving 50 requests at the same time, the SSL handshake takes more than two
> minutes and the clients are timing out. Checking the java thread stack, the
> thread is always stuck on this lookup, waiting for the DNS server which
> sometimes takes around 4 seconds to answer.
> When not using SSL there's no lookup so everything works.
> If this lookup makes sense in some cases (I don't know much on SSL
> internals), maybe there should be an option to disable the lookup
--
This message was sent by Atlassian JIRA
(v6.1#6144)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
