From a87e458432609b7a35a2abd6410b02e8a2ffc974 Mon Sep 17 00:00:00 2001 From: Daryn Sharp Date: Wed, 20 Feb 2019 18:13:53 -0800 Subject: [PATCH] HADOOP-15813. Enable more reliable SSL connection reuse. Contributed by Daryn Sharp. Signed-off-by: Wei-Chiu Chuang --- .../java/org/apache/hadoop/security/ssl/SSLFactory.java | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java index 3189b4480c..a7548aac0c 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java @@ -108,6 +108,10 @@ public enum Mode { CLIENT, SERVER } private Mode mode; private boolean requireClientCert; private SSLContext context; + // the java keep-alive cache relies on instance equivalence of the SSL socket + // factory. in many java versions, SSLContext#getSocketFactory always + // returns a new instance which completely breaks the cache... + private SSLSocketFactory socketFactory; private HostnameVerifier hostnameVerifier; private KeyStoresFactory keystoresFactory; @@ -178,6 +182,9 @@ public void init() throws GeneralSecurityException, IOException { context.init(keystoresFactory.getKeyManagers(), keystoresFactory.getTrustManagers(), null); context.getDefaultSSLParameters().setProtocols(enabledProtocols); + if (mode == Mode.CLIENT) { + socketFactory = context.getSocketFactory(); + } hostnameVerifier = getHostnameVerifier(conf); } @@ -298,7 +305,7 @@ public SSLSocketFactory createSSLSocketFactory() throw new IllegalStateException( "Factory is not in CLIENT mode. Actual mode is " + mode.toString()); } - return context.getSocketFactory(); + return socketFactory; } /**