[jetty-dev] Why DNS lookup in newSSLEngine(InetSocketAddress address)?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] Why DNS lookup in newSSLEngine(InetSocketAddress address)?

From: "Johan Piculell" <johan@xxxxxxxxxxx>
Date: Thu, 22 Dec 2016 15:55:33 +0100
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>
User-agent: One.com webmail 21.28.0

Hello.

The doc on this method states:

* If {@link #getNeedClientAuth()} is {@code true}, then the host name is passed to
* {@link #newSSLEngine(String, int)}, possibly incurring in a reverse DNS lookup, which takes time
* and may hang the selector (since this method is usually called by the selector thread).
* <p />

But why is this needed at all? I have made some tests and client authentication works just fine even if the host name cannot be resolved, so why this extra overhead? And what is worse is if I do have a DNS that does not respond for whatever reason, then my application will suffer severely since all incoming requests will be stuck. And I cannot see why we should get this penalty just because we enable client authentication.

Regards

/Johan

Follow-Ups:
- Re: [jetty-dev] Why DNS lookup in newSSLEngine(InetSocketAddress address)?
  - From: Simone Bordet

Prev by Date: Re: [jetty-dev] Staged/Test Releases: 9.2.20 & 9.3.15
Next by Date: [jetty-dev] Jetty 9.2.20 and Jetty 9.3.15 Released
Previous by thread: [jetty-dev] Staged/Test Releases: 9.2.20 & 9.3.15
Next by thread: Re: [jetty-dev] Why DNS lookup in newSSLEngine(InetSocketAddress address)?
Index(es):
- Date
- Thread

Breadcrumbs