diff --git a/src/main/java/org/jboss/netty/handler/ssl/SslHandler.java b/src/main/java/org/jboss/netty/handler/ssl/SslHandler.java
index c4e1755b6e..3a31375848 100644
--- a/src/main/java/org/jboss/netty/handler/ssl/SslHandler.java
+++ b/src/main/java/org/jboss/netty/handler/ssl/SslHandler.java
@@ -206,6 +206,8 @@ public class SslHandler extends FrameDecoder
private final SSLEngineInboundCloseFuture sslEngineCloseFuture = new SSLEngineInboundCloseFuture();
+ private boolean closeOnSSLException;
+
/**
* Creates a new instance.
*
@@ -372,9 +374,15 @@ public class SslHandler extends FrameDecoder
handshakeFuture.setFailure(e);
fireExceptionCaught(ctx, e);
+ if (closeOnSSLException) {
+ Channels.close(ctx, future(channel));
+ }
}
} else { // Failed to initiate handshake.
fireExceptionCaught(ctx, exception);
+ if (closeOnSSLException) {
+ Channels.close(ctx, future(channel));
+ }
}
return handshakeFuture;
@@ -400,6 +408,9 @@ public class SslHandler extends FrameDecoder
return wrapNonAppData(ctx, channel);
} catch (SSLException e) {
fireExceptionCaught(ctx, e);
+ if (closeOnSSLException) {
+ Channels.close(ctx, future(channel));
+ }
return failedFuture(channel, e);
}
}
@@ -455,6 +466,25 @@ public class SslHandler extends FrameDecoder
}
+ /**
+ * If set to true
, the {@link Channel} will automatically get closed
+ * one a {@link SSLException} was caught. This is most times what you want, as after this
+ * its almost impossible to recover.
+ *
+ * Anyway the default is false
to not break compatibility with older releases. This
+ * will be changed to true
in the next major release.
+ *
+ */
+ public void setCloseOnSSLException(boolean closeOnSslException) {
+ if (ctx != null) {
+ throw new IllegalStateException("Can only get changed before attached to ChannelPipeline");
+ }
+ this.closeOnSSLException = closeOnSslException;
+ }
+
+ public boolean getCloseOnSSLException() {
+ return closeOnSSLException;
+ }
public void handleDownstream(
final ChannelHandlerContext context, final ChannelEvent evt) throws Exception {
@@ -696,7 +726,17 @@ public class SslHandler extends FrameDecoder
NotSslRecordException e = new NotSslRecordException(
"not an SSL/TLS record: " + ChannelBuffers.hexDump(buffer));
buffer.skipBytes(buffer.readableBytes());
- throw e;
+ if (closeOnSSLException) {
+ // first trigger the exception and then close the channel
+ fireExceptionCaught(ctx, e);
+ Channels.close(ctx, future(channel));
+
+ // just return null as we closed the channel before, that
+ // will take care of cleanup etc
+ return null;
+ } else {
+ throw e;
+ }
}
}
@@ -1208,6 +1248,9 @@ public class SslHandler extends FrameDecoder
}
handshakeFuture.setFailure(cause);
+ if (closeOnSSLException) {
+ Channels.close(ctx, future(channel));
+ }
}
private void closeOutboundAndChannel(