Creating of SslContext in paranoid mode takes too long
See original GitHub issueI have ~400 integration tests. Every test creates SslContext
and destroys it at the end. Recently I switched my tests from JDK provider to OpenSSL provider and now my tests are executed forever 😃.
I found that the reason is in SslContext creation with Paranoid mode.
Expected behavior
OpenSsl context creation performance should be close to JDK ssl context creation.
Minimal yet complete reproducer code (or URL to code)
This minimal unit test reproduces situation:
@Test
public void testCreateContext() throws Exception {
ResourceLeakDetector.setLevel(ResourceLeakDetector.Level.PARANOID);
while(true) {
SelfSignedCertificate ssc = new SelfSignedCertificate();
SslContextBuilder builder = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
.sslProvider(SslProvider.OPENSSL);
long now = System.currentTimeMillis();
SslContext sslContext = builder.build();
System.out.print(System.currentTimeMillis() - now);
assertNotNull(sslContext);
}
}
In my case builder.build()
takes 4 seconds. JDK Ssl cotext creation takes few millis.
Profiling shows that issue in ResourceLeakDetector.newRecord()
method. It takes all the time and allocates hundreds of megabytes of objects.
Netty version
4.1.13.Final
JVM version (e.g. java -version
)
1.8.0_131
OS version (e.g. uname -a
)
Ubuntu 16.04
Issue Analytics
- State:
- Created 6 years ago
- Comments:9 (9 by maintainers)
Top Results From Across the Web
Too long time for initialize the SSL Context — oracle-tech
The 10 seconds are consequence of the initializing of the SSLContext. Is there some other way to make this?
Read more >stunnel: Securing the Insecure with SSL and Creating ... - SUSE
stunnel: Securing the Insecure with SSL and Creating SSL Tunnels ... Setup for stunnel takes only minutes and it is very reliable.
Read more >57108 – Implement multiple sslcontext SNI (server name ...
To implement this under tomcat, the SSL connectors must only accept tcp connetions, detect the intended hostname, choose the proper sslcontext ...
Read more >HIPS Settings, Comodo Internet Security | Internet Protection
Paranoid Mode : This is the highest security level setting and means that HIPS monitors and controls all executable files apart from those...
Read more >Security Mindset and Ordinary Paranoia - LessWrong
That way even if the improvement takes place over the course of a millisecond, you're still fine, so long as the system works...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@doom369 that is because usually its not expected to have these created and destroyed very frequently. That said I think I could improve it for java8 use case… Stay tuned…
Ok thanks… closing