JRuby (please use github issues at http://bugs.jruby.org)
  1. JRuby (please use github issues at http://bugs.jruby.org)
  2. JRUBY-6891

SSLSocket.accept forces reverse DNS lookup, not required for most SSL and sometimes causes very poor performance

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Incomplete
    • Affects Version/s: JRuby 1.7.0.pre2
    • Fix Version/s: None
    • Component/s: OpenSSL, Ruby 1.9.3
    • Labels:
      None
    • Number of attachments :
      0

      Description

      Came across issue when a new client was getting ~10s delays before page loads. They were hitting an IP in their network that did not have reverse DNS name associated with it. Turned out that requests were being made by JRuby SSL to do reverse DNS lookup on the IP, and those requests were timing out before continuing with the request.

      https://github.com/jruby/jruby/blob/master/src/org/jruby/ext/openssl/SSLSocket.java#L142 - this line will always force a reverse DNS lookup for an SSL connection.

      http://docs.oracle.com/javase/1.5.0/docs/api/javax/net/ssl/SSLContext.html#createSSLEngine() - this documentation suggests that passing hostname and port should only be required for certain cipher suites.

      Perhaps a flag to force the reverse lookup if you think it's required?

      Additionally, there seems to be some potential issues in that SSLSocket is in no way associated with Ruby's Socket or BasicSocket...so, for example, a flag like BasicSocket.do_not_reverse_lookup will not be adhered to when using SSLSocket (See comment https://github.com/jruby/jruby/blob/master/src/org/jruby/ext/openssl/SSLSocket.java#L130, for example).

        Activity

        Hide
        Charles Oliver Nutter added a comment -

        This should work for you. Note this is only on master, but we intend (given enough time) to try to backport to the jruby-openssl gem.

        commit d43177d40ee97ab91025db4eb1e4de03c5eb7a1f
        Author: Charles Oliver Nutter <headius@headius.com>
        Date:   Wed Sep 19 00:33:50 2012 -0500
        
            Fix JRUBY-6891
            
            SSLSocket.accept forces reverse DNS lookup, not required for most SSL and sometimes causes very poor performance
            
            Try to initialize without host, falling back on the old logic if
            the SSLEngine fails to create.
        
        :100644 100644 f8043ea... ffb24dc... M	src/org/jruby/ext/openssl/SSLContext.java
        :100644 100644 7c175fc... 5c5a401... M	src/org/jruby/ext/openssl/SSLSocket.java
        
        Show
        Charles Oliver Nutter added a comment - This should work for you. Note this is only on master, but we intend (given enough time) to try to backport to the jruby-openssl gem. commit d43177d40ee97ab91025db4eb1e4de03c5eb7a1f Author: Charles Oliver Nutter <headius@headius.com> Date: Wed Sep 19 00:33:50 2012 -0500 Fix JRUBY-6891 SSLSocket.accept forces reverse DNS lookup, not required for most SSL and sometimes causes very poor performance Try to initialize without host, falling back on the old logic if the SSLEngine fails to create. :100644 100644 f8043ea... ffb24dc... M src/org/jruby/ext/openssl/SSLContext.java :100644 100644 7c175fc... 5c5a401... M src/org/jruby/ext/openssl/SSLSocket.java
        Hide
        Ben Porterfield added a comment -

        Great, thanks so much!

        Show
        Ben Porterfield added a comment - Great, thanks so much!
        Hide
        Patrick Toomey added a comment -

        This solution to this bug results in breaking Server Name Indication (SNI). Please see JRUBY-6944 for more details.

        Show
        Patrick Toomey added a comment - This solution to this bug results in breaking Server Name Indication (SNI). Please see JRUBY-6944 for more details.
        Hide
        Charles Oliver Nutter added a comment -

        We had to revert this for 1.7.0 due to the breakage reported in JRUBY-6944. Reopening.

        Show
        Charles Oliver Nutter added a comment - We had to revert this for 1.7.0 due to the breakage reported in JRUBY-6944 . Reopening.
        Show
        Charles Oliver Nutter added a comment - Moved to https://github.com/jruby/jruby-openssl/issues/22

          People

          • Assignee:
            Charles Oliver Nutter
            Reporter:
            Ben Porterfield

            Dates

            • Created:
              Updated:
              Resolved: