Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-dev] Why DNS lookup in newSSLEngine(InetSocketAddress address)?


The doc on this method states:

* If {@link #getNeedClientAuth()} is {@code true}, then the host name is passed to
* {@link #newSSLEngine(String, int)}, possibly incurring in a reverse DNS lookup, which takes time
* and may hang the selector (since this method is usually called by the selector thread).
* <p />

But why is this needed at all? I have made some tests and client authentication works just fine even if the host name cannot be resolved, so why this extra overhead? And what is worse is if I do have a DNS that does not respond for whatever reason, then my application will suffer severely since all incoming requests will be stuck. And I cannot see why we should get this penalty just because we enable client authentication.


Back to the top