Auto-port 4.2: Fix DiscardClient hang under -Dssl by using a client SSL context#16724
Merged
Conversation
) ## Problem `./run-example -Dssl discard-client` against `./run-example -Dssl discard-server` does not complete the TLS handshake — it hangs until the handshake times out. ## Root Cause `DiscardClient.main` builds its `SslContext` via `ServerUtil.buildSslContext()`: ```java // example/src/main/java/io/netty/example/util/ServerUtil.java public static SslContext buildSslContext() throws ... { if (!SSL) return null; SelfSignedCertificate ssc = new SelfSignedCertificate(); return SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()).build(); } ``` `SslContextBuilder.forServer(...)` produces a context whose `isClient()` is `false`, so its `SSLEngine` is created with `setUseClientMode(false)` (see `JdkSslContext`). When the example's "client" attaches that engine to its `SslHandler`, both ends of the connection are configured as TLS servers: each side waits for an inbound `ClientHello` from the other, and neither sends one. The handshake deadlocks until the configured handshake timeout fires. ## Fix In `DiscardClient`, build a client `SslContext` with `InsecureTrustManagerFactory` when `-Dssl` is set, and leave `sslCtx` as `null` otherwise. This is the same pattern already used by `ObjectEchoClient`, `HttpUploadClient`, `SecureChatClient`, `Http2Client`, `MemcacheClient`, and other client examples in the same module. The server side (`DiscardServer`) is unchanged and continues to use `ServerUtil.buildSslContext()` correctly. ## Tests Added The `example` module has no unit-test infrastructure (`example/src/` contains only `main`); examples are runnable demos rather than testable units. The fix is verified by inspection against the matching `if (SSL) { SslContextBuilder.forClient()... }` pattern in the other client examples cited above. ## Impact - `./run-example -Dssl discard-client` against `./run-example -Dssl discard-server` now completes the TLS handshake instead of timing out. - Plaintext mode (no `-Dssl`) is unchanged: `sslCtx` is `null` exactly as before. - Only `DiscardClient.java` is touched. `DiscardServer.java`, `DiscardClientHandler.java`, and `DiscardServerHandler.java` are unchanged. Other example clients (`EchoClient`, `FactorialClient`, `WorldClockClient`, `TelnetClient`) call the same `ServerUtil.buildSslContext()` and exhibit the same hang under `-Dssl`. Those are kept out of this PR to keep the scope tied to the reported issue and can be addressed in a follow-up. Fixes #14499 (cherry picked from commit b55fabc)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Auto-port of #16717 to 4.2
Cherry-picked commit: b55fabc
Problem
./run-example -Dssl discard-clientagainst./run-example -Dssl discard-serverdoes not complete the TLS handshake — it hangs until the handshake times out.Root Cause
DiscardClient.mainbuilds itsSslContextviaServerUtil.buildSslContext():SslContextBuilder.forServer(...)produces a context whoseisClient()isfalse, so itsSSLEngineis created withsetUseClientMode(false)(seeJdkSslContext). When the example's "client" attaches that engine to itsSslHandler, both ends of the connection are configured as TLS servers: each side waits for an inboundClientHellofrom the other, and neither sends one. The handshake deadlocks until the configured handshake timeout fires.Fix
In
DiscardClient, build a clientSslContextwithInsecureTrustManagerFactorywhen-Dsslis set, and leavesslCtxasnullotherwise. This is the same pattern already used byObjectEchoClient,HttpUploadClient,SecureChatClient,Http2Client,MemcacheClient, and other client examples in the same module.The server side (
DiscardServer) is unchanged and continues to useServerUtil.buildSslContext()correctly.Tests Added
The
examplemodule has no unit-test infrastructure (example/src/contains onlymain); examples are runnable demos rather than testable units. The fix is verified by inspection against the matchingif (SSL) { SslContextBuilder.forClient()... }pattern in the other client examples cited above.Impact
./run-example -Dssl discard-clientagainst./run-example -Dssl discard-servernow completes the TLS handshake instead of timing out.-Dssl) is unchanged:sslCtxisnullexactly as before.DiscardClient.javais touched.DiscardServer.java,DiscardClientHandler.java, andDiscardServerHandler.javaare unchanged.Other example clients (
EchoClient,FactorialClient,WorldClockClient,TelnetClient) call the sameServerUtil.buildSslContext()and exhibit the same hang under-Dssl. Those are kept out of this PR to keep the scope tied to the reported issue and can be addressed in a follow-up.Fixes #14499