Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Why DNS lookup in newSSLEngine(InetSocketAddress address)?

Sure thing Simone, it is done.


On 10 January 2017 at 18:18:53 +01:00, Simone Bordet <sbordet@xxxxxxxxxxx> wrote:

On Thu, Dec 22, 2016 at 3:55 PM, Johan Piculell <johan@xxxxxxxxxxx> wrote:

The doc on this method states:

* If {@link #getNeedClientAuth()} is {@code true}, then the host name is
passed to
* {@link #newSSLEngine(String, int)}, possibly incurring in a reverse DNS
lookup, which takes time
* and may hang the selector (since this method is usually called by the
selector thread).
* <p />

But why is this needed at all? I have made some tests and client
authentication works just fine even if the host name cannot be resolved, so
why this extra overhead? And what is worse is if I do have a DNS that does
not respond for whatever reason, then my application will suffer severely
since all incoming requests will be stuck. And I cannot see why we should
get this penalty just because we enable client authentication.

Can you please open an issue about this ?

Simone Bordet
Developer advice, training, services and support
from the Jetty & CometD experts.

Back to the top