6296 Commits

Author SHA1 Message Date
Graham Edgecombe
e7ad9fed77 Use Triple DES in JdkSslContext cipher suite list.

JdkSslContext used SSL_RSA_WITH_DES_CBC_SHA in its cipher suite list.
OpenSslServerContext used DES-CBC3-SHA in the same place in its cipher suite
list, which is equivalent to SSL_RSA_WITH_3DES_EDE_CBC_SHA.

This means the lists were out of sync. Furthermore, using
SSL_RSA_WITH_DES_CBC_SHA is not desirable as it uses DES, a weak cipher. Triple
DES should be used instead.




The JdkSslContext and OpenSslServerContext cipher suite lists are now in sync.
Triple DES is used instead of DES, which is stronger.
2014-11-27 08:15:47 +01:00
Trustin Lee
3fe5ba1dd4 Remove or de-prioritize RC4 from default cipher suites

RC4 is not a recommended cipher suite anymore, as the recent research
reveals, such as:

- http://www.isg.rhul.ac.uk/tls/


- Remove most RC4 cipher suites from the default cipher suites
- For backward compatibility, leave RC4-SHA, while de-prioritizing it


Potentially safer default
2014-11-25 17:17:28 +09:00
Trustin Lee
37e1788a7c Fix awful naming 2014-11-22 07:46:40 +09:00
Trustin Lee
759a2b9abe Add back IntObjectMap.values(Class<V>)

Although the new IntObjectMap.values() that returns Collection is
useful, the removed values(Class<V>) that returns an array is also
useful. It's also good for backward compatibility.


- Add IntObjectMap.values(Class<V>) back
- Miscellaneous improvements
  - Cache the collection returned by IntObjectHashMap.values()
  - Inspector warnings
- Update the IntObjectHashMapTest to test both values()


- Backward compatibility
- Potential performance improvement of values()
2014-11-22 07:42:33 +09:00
Trustin Lee
b9f575352b Do not write LastHttpContent twice in HttpStaticFileServer example
Related: #3122


The HttpStaticFileServer example writes the LastHttpContent twice at the
end of the transfer.  HttpChunkedInput already produces a
LastHttpContent at the end of the stream, so there's no reason to write


Do not write LastHttpContent in HttpStaticFileServerHandler when
HttpChunkedInput is used to transfer a file.


HttpStaticFileServer does not violates the protocol anymore.
2014-11-21 11:46:10 +09:00
Trustin Lee
f8a13cc3e9 Backport the IntObjectHashMap changes in f23f3b9617b01095416334060ca8379316946e5c

The mentioned commit contains a bug fix and an improvement in
IntObjectHashMap that requires backporting.


Update IntObjectMap, IntObjectHashMap, and IntObjectHashMapTest


Easier to backport HTTP/2 and other changes in master in the future
2014-11-21 11:09:51 +09:00
Daniel Bevenius
83ad1fd086 Add logLevel property to enable different log levels for the examples.

When running the examples using the provided run-examples.sh script the
log level is 'info' level. It can be handy to be able to configure a
different level, for example 'debug', while learning and trying out the
the examples.


Added a dependency to logback-classic to the examples pom.xml, and also
added a logback configuration file. The log level can be configured by
setting the 'logLevel' system property, and if that property is not set
the default will be 'info' level.
The run-examples.sh was updated to show an example of using the system
property to set the log level to 'debug'


It is now possible to turn on debug logging by settnig a system property
on the command line.
2014-11-21 10:48:13 +09:00
Idel Pivnitskiy
3d200085a4 Small performance improvements

Found performance issues via FindBugs and PMD.


- Removed unnecessary boxing/unboxing operations in DefaultTextHeaders.convertToInt(CharSequence) and DefaultTextHeaders.convertToLong(CharSequence). A boxed primitive is created from a string, just to extract the unboxed primitive value.
- Added a static modifier for DefaultHttp2Connection.ParentChangedEvent class. This class is an inner class, but does not use its embedded reference to the object which created it. This reference makes the instances of the class larger, and may keep the reference to the creator object alive longer than necessary.
- Added a static compiled Pattern to avoid compile it each time it is used when we need to replace some part of authority.
- Improved using of StringBuilders.


Performance improvements.
2014-11-20 00:58:35 -05:00
Trustin Lee
3843ca55a2 Add more test cases to ZlibTest

Currently, we only test our ZlibEncoders against our ZlibDecoders. It is
convenient to write such tests, but it does not necessarily guarantee
their correctness. For example, both encoder and decoder might be faulty
even if the tests pass.


Add another test that makes sure that our GZIP encoder generates the
GZIP trailer, using the fact that GZIPInputStream raises an EOFException
when GZIP trailer is missing.


More coverage for GZIP compression
2014-11-19 18:35:26 +09:00
Jeff Pinner
63e4de5298 SPDY: add support for pushed resources in SpdyHttpDecoder

The SPDY/3.1 spec does not adequate describe how to push resources
from the server. This was solidified in the HTTP/2 drafts by dividing
the push into two frames, a PushPromise containing the request,
followed by a Headers frame containing the response.


This commit modifies the SpdyHttpDecoder to support pushed resources
that are divided into multiple frames. The decoder will accept a
pushed SpdySynStreamFrame containing the request headers, followed by
a SpdyHeadersFrame containing the response headers.


The SpdyHttpDecoder will create an HttpRequest object followed by an
HttpResponse object when receiving pushed resources.
2014-11-17 10:50:17 +01:00
Roelof Naude
eca194daf4 Cater for empty response bodies when performing response compression.
RFC 2616, 4.3 Message Body states that:
All 1xx (informational), 204 (no content), and 304 (not modified) responses MUST NOT include a
message-body. All other responses do include a message-body, although it MAY be of zero length.

HttpContentEncoder was previously modified to cater for HTTP 100 responses. This check is enhanced to
include HTTP 204 and 304 responses.

Empty response bodies will not be modified to include the compression footer. This footer messed with Chrome's
response parsing leading to "hanging" requests.
2014-11-13 08:16:43 +01:00
Idel Pivnitskiy
9b3f536921 Benchmark for HttpRequestDecoder 2014-11-12 14:37:11 +01:00
Idel Pivnitskiy
cc97be6002 Rewrite HttpObjectDecoder to make use of proper state machine

HttpObjectDecoder extended ReplayDecoder which is slightly slower then ByteToMessageDecoder.


- Changed super class of HttpObjectDecoder from ReplayDecoder to ByteToMessageDecoder.
- Rewrote decode() method of HttpObjectDecoder to use proper state machine.
- Changed private methods HeaderParser.parse(ByteBuf), readHeaders(ByteBuf) and readTrailingHeaders(ByteBuf), skipControlCharacters(ByteBuf) to consider available bytes.
- Set HeaderParser and LineParser as static inner classes.
- Replaced not safe actualReadableBytes() with buffer.readableBytes().


Improved performance of HttpObjectDecoder by approximately 177%.
2014-11-12 14:36:56 +01:00
Trustin Lee
59f222a821 Handle the interface name in IPv6 address correctly

NetUtil.isValidIpV6Address() handles the interface name in IPv6 address
incorrectly. For example, it returns false for the following addresses:

- ::1%lo
- ::1%_%_in_name_


- Strip the square brackets before validation for simplicity
- Strip the part after the percent sign completely before validation for
- Simplify and reformat NetUtilTest


- The interface names in IPv6 addresses are handled correctly.
- NetUtilTest is cleaner
2014-11-12 12:15:14 +09:00
Sam Young
bb94f05083 Add generic versions of PromiseAggregator and PromiseNotifier.

ChannelPromiseAggregator and ChannelPromiseNotifiers only allow
consumers to work with Channels as the result type. Generic versions
of these classes allow consumers to aggregate or broadcast the results
of an asynchronous execution with other result types.


Add PromiseAggregator and PromiseNotifier. Add unit tests for both.
Remove code in ChannelPromiseAggregator and ChannelPromiseNotifier and
modify them to extend the new base classes.


Consumers can now aggregate or broadcast the results of an asynchronous
execution with results types other than Channel.
2014-11-07 08:44:20 +01:00
Scott Mitchell
7da5ca3629 HTTP Content Encoder allow EmptyLastHttpContent
The HttpContentEncoder does not account for a EmptyLastHttpContent being provided as input.  This is useful in situations where the client is unable to determine if the current content chunk is the last content chunk (i.e. a proxy forwarding content when transfer encoding is chunked).

- HttpContentEncoder should not attempt to compress empty HttpContent objects

HttpContentEncoder supports a EmptyLastHttpContent to terminate the response.
2014-11-05 23:23:21 -05:00
Trustin Lee
49998bc9c0 Fix build errors introduced during backporting SslContext 2014-10-31 14:25:14 +09:00
Trustin Lee
3ddac6adff Add ApplicationProtocolConfig.DISABLED

When ALPN/NPN is disabled, a user has to instantiate a new
ApplicationProtocolConfig with meaningless parameters.


- Add ApplicationProtocolConfig.DISABLED, the singleton instance
- Reject the constructor calls with Protocol.NONE, which doesn't make
  much sense because a user should use DISABLED instead.


More user-friendly API when ALPN/NPN is not needed by a user.
2014-10-31 14:15:43 +09:00
Trustin Lee
a6a42d2f19 Add back the removed deprecated methods in SslContext

Previous backport removed the old methods and constructors. They should
not be removed in 4.x but just deprecated in favor of the new methods
and constructors.


Add back the removed methods and constructors in SslContext and its
subtypes for backward compatibility.


Backward compatibility issues fixed.
2014-10-31 14:15:33 +09:00
Trustin Lee
8f3904f6dc Code clean-up
- Fix the inspector warnings
- Fix the infinite recursion in SslContext.newClientContext()
- Fix Javadoc errors
2014-10-31 14:15:25 +09:00
Scott Mitchell
56b8bb30b2 Backport ALPN and Mutual Auth SSL

Improvements were made on the main line to support ALPN and mutual
authentication for TLS. These should be backported.


- Backport commits from the master branch
  - f8af84d5993456426a63ad0146479147b1a4a5e5
  - e74c8edba3fcbfd2e895ed6aac440efeb3aa637f


Support for ALPN and mutual authentication.
2014-10-31 14:15:12 +09:00
Scott Mitchell
e73f32b52d SslHander wrap conditional direct buffer allocation
The SslHandler currently forces the use of a direct buffer for the input to the SSLEngine.wrap(..) operation. This allocation may not always be desired and should be conditionally done.

- Use the pre-existing wantsDirectBuffer variable as the condition to do the conversion.

- An allocation of a direct byte buffer and a copy of data is now not required for every SslHandler wrap operation.
2014-10-30 09:26:15 +01:00
Norman Maurer
1914b77c71 [maven-release-plugin] prepare for next development iteration 2014-10-29 11:48:40 +01:00
Norman Maurer
c170e7df3f [maven-release-plugin] prepare release netty-4.0.24.Final netty-4.0.24.Final 2014-10-29 11:47:19 +01:00
Scott Mitchell
8db8aca1e7 SslHandler wrap memory leak
The SslHandler wrap method requires that a direct buffer be passed to the SSLEngine.wrap() call. If the ByteBuf parameter does not have an underlying direct buffer then one is allocated in this method, but it is not released.

- Release the direct ByteBuffer only accessible in the scope of SslHandler.wrap

Memory leak in SslHandler.wrap is fixed.
2014-10-28 06:13:06 +01:00
Matthias Einwag
a9bd9699a4 Fix the websocket server example
As report in #2953 the websocket server example contained a bug and did therefore not work with chrome:
A websocket extension is added to the pipeline but extensions were disallowed in the handshaker and decoder,
which is leading the decoder to closing the connection after receiving an extension frame.

Allow websocket extensions in the handshaker to correctly enable the extension.

Working websocket server example
Fixes #2953
2014-10-25 21:48:34 +09:00
Trustin Lee
9b4481b59a Fix a compilation error 2014-10-25 17:13:57 +09:00
Trustin Lee
d794ea515b Fix compilation errors in ChannelOutboundBufferTest 2014-10-25 16:57:47 +09:00
Trustin Lee
83296ca9ac Overall cleanup of 6602fcf54fafeae1d3d0f57734d60f81edc2e0ba 2014-10-25 16:43:11 +09:00
Norman Maurer
32d82fa259 Modify HttpObjectDecoder to allow parsing the HTTP headers in multiple steps.
At the moment the whole HTTP header must be parsed at once which can lead to multiple parsing of the same bytes. We can do better here and allow to parse it in multiple steps.


 - Not parse headers multiple times
 - Simplify the code
 - Eliminate uncessary String[] creations
 - Use readSlice(...).retain() when possible.


Performance improvements as shown in the included benchmark below.

Before change:
[nmaurer@xxx]~% ./wrk-benchmark
Running 2m test @ http://xxx:8080/plaintext
  16 threads and 256 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency    21.55ms   15.10ms 245.02ms   90.26%
    Req/Sec   196.33k    30.17k  297.29k    76.03%
  373954750 requests in 2.00m, 50.15GB read
Requests/sec: 3116466.08
Transfer/sec:    427.98MB

After change:
[nmaurer@xxx]~% ./wrk-benchmark
Running 2m test @ http://xxx:8080/plaintext
  16 threads and 256 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency    20.91ms   36.79ms   1.26s    98.24%
    Req/Sec   206.67k    21.69k  243.62k    94.96%
  393071191 requests in 2.00m, 52.71GB read
Requests/sec: 3275971.50
Transfer/sec:    449.89MB
2014-10-25 16:43:11 +09:00
Trustin Lee
329e97f20f Revert "Fix the websocket server example"
This reverts commit 443d686d6ac868375ab23fd18a73ddf971745657.
2014-10-25 16:43:11 +09:00
Matthias Einwag
443d686d6a Fix the websocket server example
As report in #2953 the websocket server example contained a bug and did therefore not work with chrome:
A websocket extension is added to the pipeline but extensions were disallowed in the handshaker and decoder,
which is leading the decoder to closing the connection after receiving an extension frame.

Allow websocket extensions in the handshaker to correctly enable the extension.

Working websocket server example
Fixes #2953
2014-10-25 16:18:29 +09:00
Trustin Lee
ee9cbda9f0 Implement user-defined writability flags
Related: #2945


Some special handlers such as TrafficShapingHandler need to override the
writability of a Channel to throttle the outbound traffic.


Add a new indexed property called 'user-defined writability flag' to
ChannelOutboundBuffer so that a handler can override the writability of
a Channel easily.


A handler can override the writability of a Channel using an unsafe API.
For example:

  Channel ch = ...;
  ch.unsafe().outboundBuffer().setUserDefinedWritability(1, false);
2014-10-25 15:59:30 +09:00
Trustin Lee
5112cec5fa Handle an empty ByteBuf specially in HttpObjectEncoder
Related: #2983


It is a well known idiom to write an empty buffer and add a listener to
its future to close a channel when the last byte has been written out:

  ChannelFuture f = channel.writeAndFlush(Unpooled.EMPTY_BUFFER);

When HttpObjectEncoder is in the pipeline, this still works, but it
silently raises an IllegalStateException, because HttpObjectEncoder does
not allow writing a ByteBuf when it is expecting an HttpMessage.


- Handle an empty ByteBuf specially in HttpObjectEncoder, so that
  writing an empty buffer does not fail even if the pipeline contains an
- Add a test


An exception is not triggered anymore by HttpObjectEncoder, when a user
attempts to write an empty buffer.
2014-10-22 14:45:02 +09:00
Daniel Bevenius
a9dcdf8864 CorsHandler should release HttpRequest after processing preflight/error.
Currently, when the CorsHandler processes a preflight request, or
respondes with an 403 Forbidden using the short-curcuit option, the
HttpRequest is not released which leads to a buffer leak.

Releasing the HttpRequest when done processing a preflight request or
responding with an 403.

Using the CorsHandler will not cause buffer leaks.
2014-10-22 06:38:15 +02:00
Trustin Lee
4e005b470f Fix missing version properties of transport-epoll in all-in-one JAR
Related: #2952


META-INF/io.netty.versions.properties in netty-all-*.jar does not
contain the version information about the netty-transport-epoll module.


Fix a bug in the regular expression in pom.xml, so that the artifacts
with a classifier is also included in the version properties file.


The version information of all modules are included in the version
properties file, and Version.identify() does not miss
2014-10-21 22:31:46 +09:00
Frederic Bregier
2fc421b2ba Backport 4.1 to 4.0 on HttpPostRequestDecoder
4.0 was not modified in the same time than 4.1 while the difference was
Include the fix on "=" character in Boundary.

Issue #3004 shows that "=" character was not supported as it should in
the HttpPostRequestDecoder in form-data boundary.

Backport from 4.1 to 4.0 while respecting interfaces.

Add 2 methods in StringUtil
- split with maxParm argument: String split with max parts only (to prevent multiple '='
to be source of extra split while not needed)
- substringAfter: String part after delimiter (since first part is not
Use those methods in HttpPostRequestDecoder.
Change and the HttpPostRequestDecoderTest to check using a boundary
beginning with "=".

Backport done (Issue #2886 fix)
Issue #3004 fix too
The fix implies more stability and fix the relative issues.
2014-10-21 16:05:08 +09:00
Trustin Lee
6150de5eb2 Disable SSLv3 to avoid POODLE vulnerability
Related: #3031


The only way to protect ourselves from POODLE vulnerability in Java for
now is to disable SSLv3.

- http://en.wikipedia.org/wiki/POODLE
- https://blogs.oracle.com/security/entry/information_about_ssl_poodle_vulnerability


Disable SSLv3 in SslContext implementations


Prevent POODLE vulnerability when a user used SslContext with the
default configuration
2014-10-21 14:01:04 +09:00
76de0a7567 Slight performance improvement to IntObjectHashMap.hashIndex()

Using a needless local copy of keys.length.


Using keys.length explicitly everywhere.


Slight performance improvement of hashIndex.
2014-10-20 12:39:25 -07:00
c6053b8698 Optimize IntObjectHashMap handling of negative keys.

The hashIndex method currently uses a conditional to handle negative
keys. This could be done without a conditional to slightly improve


Modified hashIndex() to avoid using a conditional.


Slight performance improvement to hashIndex().
2014-10-20 10:59:27 -07:00
c1217b9dd3 Allowing negative keys in IntObjectHashMap.

IntObjectHashMap throws an exception when using negative values for


Changed hashIndex() to normalize the index if the mod operation returns
a negative number.


IntObjectHashMap supports negative key values.
2014-10-20 18:08:26 +02:00
Trustin Lee
d36950503c Make Bootstrap and ServerBootstrap fully overridable
Related: #2034


Some users want to mock Bootstrap (or ServerBootstrap), and thus they
should not be final but be fully overridable and extensible.


Remove finals wherever possible


@daschl is happy.
2014-10-17 16:17:48 +09:00
Trustin Lee
c13f72c5b6 Fix an infinite loop when writing a zero-length FileRegion
Related: #2964


Writing a zero-length FileRegion to an NIO channel will lead to an
infinite loop.


- Do not write a zero-length FileRegion by protecting with proper 'if'.
- Update the testsuite


Another bug fixed
2014-10-17 16:06:57 +09:00
Trustin Lee
8416a47106 Make TestUtils.getFreePort() check both TCP and UDP

We see occational failures in the datagram tests saying 'address already
in use' when we attempt to bind on a port returned by

It turns out that TestUtils.getFreePort() only checks if TCP port is


Also check if UDP port is available, so that the datagram tests do not
fail because of the 'address already in use' error during a bind


Less chance of datagram test failures
2014-10-17 15:05:01 +09:00
Trustin Lee
2443005c15 Do not consider PortUnreachableException to require channel closure

When a datagram packet is sent to a destination where nobody actually listens to,
the server O/S will respond with an ICMP Port Unreachable packet.
The ICMP Port Unreachable packet is translated into PortUnreachableException by JDK.
PortUnreachableException is not a harmful exception that prevents a user from sending a datagram.
Therefore, we should not close a datagram channel when PortUnreachableException is caught.


- Do not close a channel when the caught exception is PortUnreachableException.


A datagram channel is not closed unexpectedly anymore.
2014-10-14 17:50:31 +09:00
Trustin Lee
f0e2aa424d Add AbstractUnsafe.annotateConnectException()

JDK's exception messages triggered by a connection attempt failure do
not contain the related remote address in its message.  We currently
append the remote address to ConnectException's message, but I found
that we need to cover more exception types such as SocketException.


- Add AbstractUnsafe.annotateConnectException() to de-duplicate the
  code that appends the remote address


- Less duplication
- A transport implementor can annotate connection attempt failure
  message more easily
2014-10-14 17:50:31 +09:00
Trustin Lee
31862cca18 Fix a bug in NetUtil.createByteArrayFromIpAddressString()

An IPv6 string can have a zone index which is followed by the '%' sign.
When a user passes an IPv6 string with a zone index,
NetUtil.createByteArrayFromIpAddressString() returns an incorrect value.


- Strip the zone index before conversion


An IPv6 string with a zone index is decoded correctly.
2014-10-14 17:50:31 +09:00
Matthias Einwag
730525c6cf Add verification for websocket subprotocol on the client side.

Websocket clients can request to speak a specific subprotocol. The list of
subprotocols the client understands are sent to the server. The server
should select one of the protocols an reply this with the websocket
handshake response. The added code verifies that the reponded subprotocol
is valid.


Added verification of the subprotocol received from the server against the
subprotocol(s) that the user requests. If the user requests a subprotocol
but the server responds none or a non-requested subprotocol this is an
error and the handshake fails through an exception. If the user requests
no subprotocol but the server responds one this is also marked as an

Addiontionally a getter for the WebSocketClientHandshaker in the
WebSocketClientProtocolHandler is added to enable the user of a
WebSocketClientProtocolHandler to extract the used negotiated subprotocol.


The subprotocol field which is received from a websocket server is now
properly verified on client side and clients and websocket connection
attempts will now only succeed if both parties can negotiate on a
If the client sends a list of multiple possible subprotocols it can
extract the negotiated subprotocol through the added handshaker getter (WebSocketClientProtocolHandler.handshaker().actualSubprotocol()).
2014-10-14 14:47:11 +09:00
Luke Wood
bcfd6da1dd Access autoRead via an AtomicIntegerFieldUpdater.

Before this change, autoRead was a volatile boolean accessed directly.  Any thread that invoked the DefaultChannelConfig#setAutoRead(boolean) method would read the current value of autoRead, and then set a new value.  If the old value did not match the new value, some action would be immediately taken as part of the same method call.

As volatile only provides happens-before consistency, there was no guarantee that the calling thread was actually the thread mutating the state of the autoRead variable (such that it should be the one to invoke the follow-up actions).  For example, with 3 threads:
 * Thread 1: get = false
 * Thread 1: set = true
 * Thread 1: invokes read()
 * Thread 2: get = true
 * Thread 3: get = true
 * Thread 2: set = false
 * Thread 2: invokes autoReadCleared()
 * Event Loop receives notification from the Selector that data is available, but as autoRead has been cleared, cancels the operation and removes read interest
 * Thread 3: set = true

This results in a livelock - autoRead is set true, but no reads will happen even if data is available (as readyOps).  The only way around this livelock currently is to set autoRead to false, and then back to true.


Write access to the autoRead variable is now made using the getAndSet() method of an AtomicIntegerFieldUpdater, AUTOREAD_UPDATER.  This also changed the type of the underlying autoRead variable to be an integer, as no AtomicBooleanFieldUpdater class exists.  Boolean logic is retained by assuming that 1 is true and 0 is false.


There is no longer a race condition between retrieving the old value of the autoRead variable and setting a new value.
2014-10-13 15:16:28 +02:00
Matthias Einwag
a13ad3367c Add a test for handover from HTTP to Websocket
I was not fully reassured that whether everything works correctly when a websocket client receives the websocket handshake HTTP response and a websocket frame in a single ByteBuf (which can happen when the server sends a response directly or shortly after the connect). In this case some parts of the ByteBuf must be processed by HTTP decoder and the remaining by the websocket decoder.

Adding a test that verifies that in this scenaria the handshake and the message are correctly interpreted and delivered by Netty.

One more test for Netty.
The test succeeds - No problems
2014-10-13 07:23:31 +02:00