f7b3caeddc
Motivation: The JDK SSLEngine documentation says that a call to wrap/unwrap "will attempt to consume one complete SSL/TLS network packet" [1]. This limitation can result in thrashing in the pipeline to decode and encode data that may be spread amongst multiple SSL/TLS network packets. ReferenceCountedOpenSslEngine also does not correct account for the overhead introduced by each individual SSL_write call if there are multiple ByteBuffers passed to the wrap() method. Modifications: - OpenSslEngine and SslHandler supports a mode to not comply with the limitation to only deal with a single SSL/TLS network packet per call - ReferenceCountedOpenSslEngine correctly accounts for the overhead of each call to SSL_write - SslHandler shouldn't cache maxPacketBufferSize as aggressively because this value may change before/after the handshake. Result: OpenSslEngine and SslHanadler can handle multiple SSL/TLS network packet per call. [1] https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLEngine.html
59 lines
2.5 KiB
Java
59 lines
2.5 KiB
Java
/*
|
|
* Copyright 2014 The Netty Project
|
|
*
|
|
* The Netty Project licenses this file to you under the Apache License,
|
|
* version 2.0 (the "License"); you may not use this file except in compliance
|
|
* with the License. You may obtain a copy of the License at:
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
* License for the specific language governing permissions and limitations
|
|
* under the License.
|
|
*/
|
|
package io.netty.handler.ssl;
|
|
|
|
import io.netty.buffer.ByteBufAllocator;
|
|
|
|
import java.security.cert.Certificate;
|
|
|
|
import javax.net.ssl.SSLEngine;
|
|
import javax.net.ssl.SSLException;
|
|
|
|
/**
|
|
* This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
|
|
* and manually release the native memory see {@link ReferenceCountedOpenSslContext}.
|
|
*/
|
|
public abstract class OpenSslContext extends ReferenceCountedOpenSslContext {
|
|
OpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apnCfg,
|
|
long sessionCacheSize, long sessionTimeout, int mode, Certificate[] keyCertChain,
|
|
ClientAuth clientAuth, String[] protocols, boolean startTls, boolean enableOcsp)
|
|
throws SSLException {
|
|
super(ciphers, cipherFilter, apnCfg, sessionCacheSize, sessionTimeout, mode, keyCertChain,
|
|
clientAuth, protocols, startTls, enableOcsp, false);
|
|
}
|
|
|
|
OpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
|
|
OpenSslApplicationProtocolNegotiator apn, long sessionCacheSize,
|
|
long sessionTimeout, int mode, Certificate[] keyCertChain,
|
|
ClientAuth clientAuth, String[] protocols, boolean startTls,
|
|
boolean enableOcsp) throws SSLException {
|
|
super(ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout, mode, keyCertChain, clientAuth, protocols,
|
|
startTls, enableOcsp, false);
|
|
}
|
|
|
|
@Override
|
|
final SSLEngine newEngine0(ByteBufAllocator alloc, String peerHost, int peerPort, boolean jdkCompatibilityMode) {
|
|
return new OpenSslEngine(this, alloc, peerHost, peerPort, jdkCompatibilityMode);
|
|
}
|
|
|
|
@Override
|
|
@SuppressWarnings("FinalizeDeclaration")
|
|
protected final void finalize() throws Throwable {
|
|
super.finalize();
|
|
OpenSsl.releaseIfNeeded(this);
|
|
}
|
|
}
|