Enable OpenSslCachingKeyMaterialProvider to evict stale entries after cert rotation#16523
Merged
Conversation
Member
|
@zhangweikop did you sign our ICLA ? https://netty.io/s/icla |
normanmaurer
requested changes
Mar 18, 2026
Contributor
Author
|
@normanmaurer @chrisvest Can you help review the change again? |
chrisvest
requested changes
Mar 23, 2026
chrisvest
left a comment
Member
There was a problem hiding this comment.
I think we are at risk of Use After Free errors with these changes, and we need to address that before merging.
| Map.Entry<String, OpenSslKeyMaterial> entry = iterator.next(); | ||
| if (keyManager().getCertificateChain(entry.getKey()) == null) { | ||
| iterator.remove(); | ||
| entry.getValue().release(); |
Member
There was a problem hiding this comment.
I don't think we're able to say that the entry definitely isn't used at this point, without additional reference counting for the use of cached key materials.
Contributor
Author
There was a problem hiding this comment.
Good catch!
Updated the PR to wrap ConcurrentHashMap in a helper class and perform retain()/release() inside computeIfPresent/compute lambdas.
This ensure the ref count update is atomic with the map operation. The material is always ref counted first before returning.
Also considered a ReadWriteLock approach, but local benchmark testing shows computeIfPresent scales significantly better under contention.
Contributor
Author
There was a problem hiding this comment.
@chrisvest Do you have further feedback?
Contributor
Author
There was a problem hiding this comment.
Updated PR:
- The Reads hot path is no overhead:
just ConcurrentHashMap.get() + retain(), within try catch. - only writes (inserts/evictions) need to use compute/computeIfPresent to perform refcnt
d811ca4 to
8fd03cf
Compare
Member
|
Taking a closer look at this now, since I just did #16759 |
# Conflicts: # handler/src/main/java/io/netty/handler/ssl/OpenSslCachingKeyMaterialProvider.java
It was possible for calls to chooseKeyMaterial and destroy to race, and leave a key material in the cache. Adding a volatile 'destroyed' field to track, and letting chooseKeyMaterial help out with the clean-up closes the data race.
chrisvest
approved these changes
May 8, 2026
chrisvest
left a comment
Member
There was a problem hiding this comment.
I addressed the conflicts and fix one bug, and I think it looks good now.
Contributor
Author
Thank you so much for reviewing the changes and fixing! |
Contributor
|
Auto-port PR for 5.0: #16802 |
chrisvest
added a commit
that referenced
this pull request
May 12, 2026
…e entries after cert rotation (#16802) Auto-port of #16523 to 5.0 Cherry-picked commit: 40b824b --- ### Motivation: The current `OpenSslCachingKeyMaterialProvider` does not evict stale entries after a cert rotation. This is related to a performance concern when using grpc-java (grpc/grpc-java#12670) ### Modification: Added `evictStaleEntries()`, which removes cached entries whose alias is no longer recognized by the `X509KeyManager`. It is called on a cache miss when new material is successfully loaded, so stale entries from rotated credentials are pruned before inserting the new one. ### Result: Better support for cert rotation. Related discussion: grpc/grpc-java#12686 grpc/grpc-java#12670 Co-authored-by: wzhang <zhangweikop@gmail.com> Co-authored-by: Chris Vest <christianvest_hansen@apple.com>
mergify Bot
added a commit
to ArcadeData/arcadedb
that referenced
this pull request
May 24, 2026
…ip ci] Bumps `netty.version` from 4.2.13.Final to 4.2.14.Final. Updates `io.netty:netty-transport` from 4.2.13.Final to 4.2.14.Final Release notes *Sourced from [io.netty:netty-transport's releases](https://github.com/netty/netty/releases).* > netty-4.2.14.Final > ------------------ > > What's Changed > -------------- > > * HTTP: Fix revapi failure introduced by 84530fa81e12dcd1d42310bb20c1385cb44128d8 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16748](https://redirect.github.com/netty/netty/pull/16748) > * HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16747](https://redirect.github.com/netty/netty/pull/16747) > * Marshalling: Explicit document security requirements by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16752](https://redirect.github.com/netty/netty/pull/16752) > * Fix io\_uring op completion TRACE logging by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16755](https://redirect.github.com/netty/netty/pull/16755) > * Quic: Ensure writes are done before notify close promise of QuicheQui… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16758](https://redirect.github.com/netty/netty/pull/16758) > * Avoid re-parsing openssl key material with non-cached provider by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16759](https://redirect.github.com/netty/netty/pull/16759) > * Pin HTTP/RTSP version + method normalization to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16765](https://redirect.github.com/netty/netty/pull/16765) > * Fill MsgHdrMemoryArray#hdrs with null entry on release by [`@tsegismont`](https://github.com/tsegismont) in [netty/netty#16764](https://redirect.github.com/netty/netty/pull/16764) > * Revapi: Use default "oldVersion" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16774](https://redirect.github.com/netty/netty/pull/16774) > * Adaptive: Fix concurrency issue in adaptive allocator by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16767](https://redirect.github.com/netty/netty/pull/16767) > * Auto-port 4.2: Make bulk byte moving in ByteBuf faster by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16781](https://redirect.github.com/netty/netty/pull/16781) > * Pin multipart Content-Type / Content-Transfer-Encoding case folding to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16768](https://redirect.github.com/netty/netty/pull/16768) > * Remove dead native declarations by [`@pandareen`](https://github.com/pandareen) in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * Isolate tests that modify available Security providers by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16793](https://redirect.github.com/netty/netty/pull/16793) > * Remove test annotations from a method that isn't a test by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16792](https://redirect.github.com/netty/netty/pull/16792) > * Enable OpenSslCachingKeyMaterialProvider to evict stale entries after cert rotation by [`@zhangweikop`](https://github.com/zhangweikop) in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * IoUring: extend user data from short to long by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16682](https://redirect.github.com/netty/netty/pull/16682) > * Revert CompositeByteBuf component search fast path by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16811](https://redirect.github.com/netty/netty/pull/16811) > * HTTP2: Use 100 as default max concurrent streams setting by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16804](https://redirect.github.com/netty/netty/pull/16804) > * Fix ResumptionController wrapping by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16815](https://redirect.github.com/netty/netty/pull/16815) > * Resolve all localhost addresses without querying DNS servers by [`@JulianVennen`](https://github.com/JulianVennen) in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16803](https://redirect.github.com/netty/netty/pull/16803) > * Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16788](https://redirect.github.com/netty/netty/pull/16788) > * Route synchronous onLookupComplete exceptions via fireExceptionCaught by [`@kwondh5217`](https://github.com/kwondh5217) in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * IoUring: Stop generic FileRegion drain loop when transferred() reaches count() by [`@LuciferYang`](https://github.com/LuciferYang) in [netty/netty#16826](https://redirect.github.com/netty/netty/pull/16826) > * MQTT: Allow MQTT 5 CONNECT with password only by [`@shblue21`](https://github.com/shblue21) in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > * Fix MQTT decoder size check after variable header replay by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16787](https://redirect.github.com/netty/netty/pull/16787) > > New Contributors > ---------------- > > * [`@pandareen`](https://github.com/pandareen) made their first contribution in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * [`@zhangweikop`](https://github.com/zhangweikop) made their first contribution in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * [`@JulianVennen`](https://github.com/JulianVennen) made their first contribution in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * [`@kwondh5217`](https://github.com/kwondh5217) made their first contribution in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * [`@shblue21`](https://github.com/shblue21) made their first contribution in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > > **Full Changelog**: <netty/netty@netty-4.2.13.Final...netty-4.2.14.Final> Commits * [`0a60b75`](netty/netty@0a60b75) [maven-release-plugin] prepare release netty-4.2.14.Final * [`72df658`](netty/netty@72df658) Fix MQTT decoder size check after variable header replay ([#16787](https://redirect.github.com/netty/netty/issues/16787)) * [`7125dba`](netty/netty@7125dba) MQTT: Allow MQTT 5 CONNECT with password only ([#16833](https://redirect.github.com/netty/netty/issues/16833)) * [`9e19320`](netty/netty@9e19320) IoUring: Stop generic FileRegion drain loop when transferred() reaches count(... * [`4ce9f17`](netty/netty@4ce9f17) Route synchronous onLookupComplete exceptions via fireExceptionCaught ([#16794](https://redirect.github.com/netty/netty/issues/16794)) * [`f7b1b7d`](netty/netty@f7b1b7d) Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe... * [`0ccb265`](netty/netty@0ccb265) IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules ... * [`a6aeb6d`](netty/netty@a6aeb6d) Resolve all localhost addresses without querying DNS servers ([#16749](https://redirect.github.com/netty/netty/issues/16749)) * [`c328ba2`](netty/netty@c328ba2) Fix ResumptionController wrapping ([#16815](https://redirect.github.com/netty/netty/issues/16815)) * [`bc5862b`](netty/netty@bc5862b) HTTP2: Use 100 as default max concurrent streams setting ([#16804](https://redirect.github.com/netty/netty/issues/16804)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.13.Final...netty-4.2.14.Final) Updates `io.netty:netty-codec` from 4.2.13.Final to 4.2.14.Final Release notes *Sourced from [io.netty:netty-codec's releases](https://github.com/netty/netty/releases).* > netty-4.2.14.Final > ------------------ > > What's Changed > -------------- > > * HTTP: Fix revapi failure introduced by 84530fa81e12dcd1d42310bb20c1385cb44128d8 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16748](https://redirect.github.com/netty/netty/pull/16748) > * HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16747](https://redirect.github.com/netty/netty/pull/16747) > * Marshalling: Explicit document security requirements by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16752](https://redirect.github.com/netty/netty/pull/16752) > * Fix io\_uring op completion TRACE logging by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16755](https://redirect.github.com/netty/netty/pull/16755) > * Quic: Ensure writes are done before notify close promise of QuicheQui… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16758](https://redirect.github.com/netty/netty/pull/16758) > * Avoid re-parsing openssl key material with non-cached provider by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16759](https://redirect.github.com/netty/netty/pull/16759) > * Pin HTTP/RTSP version + method normalization to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16765](https://redirect.github.com/netty/netty/pull/16765) > * Fill MsgHdrMemoryArray#hdrs with null entry on release by [`@tsegismont`](https://github.com/tsegismont) in [netty/netty#16764](https://redirect.github.com/netty/netty/pull/16764) > * Revapi: Use default "oldVersion" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16774](https://redirect.github.com/netty/netty/pull/16774) > * Adaptive: Fix concurrency issue in adaptive allocator by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16767](https://redirect.github.com/netty/netty/pull/16767) > * Auto-port 4.2: Make bulk byte moving in ByteBuf faster by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16781](https://redirect.github.com/netty/netty/pull/16781) > * Pin multipart Content-Type / Content-Transfer-Encoding case folding to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16768](https://redirect.github.com/netty/netty/pull/16768) > * Remove dead native declarations by [`@pandareen`](https://github.com/pandareen) in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * Isolate tests that modify available Security providers by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16793](https://redirect.github.com/netty/netty/pull/16793) > * Remove test annotations from a method that isn't a test by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16792](https://redirect.github.com/netty/netty/pull/16792) > * Enable OpenSslCachingKeyMaterialProvider to evict stale entries after cert rotation by [`@zhangweikop`](https://github.com/zhangweikop) in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * IoUring: extend user data from short to long by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16682](https://redirect.github.com/netty/netty/pull/16682) > * Revert CompositeByteBuf component search fast path by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16811](https://redirect.github.com/netty/netty/pull/16811) > * HTTP2: Use 100 as default max concurrent streams setting by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16804](https://redirect.github.com/netty/netty/pull/16804) > * Fix ResumptionController wrapping by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16815](https://redirect.github.com/netty/netty/pull/16815) > * Resolve all localhost addresses without querying DNS servers by [`@JulianVennen`](https://github.com/JulianVennen) in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16803](https://redirect.github.com/netty/netty/pull/16803) > * Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16788](https://redirect.github.com/netty/netty/pull/16788) > * Route synchronous onLookupComplete exceptions via fireExceptionCaught by [`@kwondh5217`](https://github.com/kwondh5217) in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * IoUring: Stop generic FileRegion drain loop when transferred() reaches count() by [`@LuciferYang`](https://github.com/LuciferYang) in [netty/netty#16826](https://redirect.github.com/netty/netty/pull/16826) > * MQTT: Allow MQTT 5 CONNECT with password only by [`@shblue21`](https://github.com/shblue21) in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > * Fix MQTT decoder size check after variable header replay by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16787](https://redirect.github.com/netty/netty/pull/16787) > > New Contributors > ---------------- > > * [`@pandareen`](https://github.com/pandareen) made their first contribution in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * [`@zhangweikop`](https://github.com/zhangweikop) made their first contribution in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * [`@JulianVennen`](https://github.com/JulianVennen) made their first contribution in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * [`@kwondh5217`](https://github.com/kwondh5217) made their first contribution in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * [`@shblue21`](https://github.com/shblue21) made their first contribution in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > > **Full Changelog**: <netty/netty@netty-4.2.13.Final...netty-4.2.14.Final> Commits * [`0a60b75`](netty/netty@0a60b75) [maven-release-plugin] prepare release netty-4.2.14.Final * [`72df658`](netty/netty@72df658) Fix MQTT decoder size check after variable header replay ([#16787](https://redirect.github.com/netty/netty/issues/16787)) * [`7125dba`](netty/netty@7125dba) MQTT: Allow MQTT 5 CONNECT with password only ([#16833](https://redirect.github.com/netty/netty/issues/16833)) * [`9e19320`](netty/netty@9e19320) IoUring: Stop generic FileRegion drain loop when transferred() reaches count(... * [`4ce9f17`](netty/netty@4ce9f17) Route synchronous onLookupComplete exceptions via fireExceptionCaught ([#16794](https://redirect.github.com/netty/netty/issues/16794)) * [`f7b1b7d`](netty/netty@f7b1b7d) Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe... * [`0ccb265`](netty/netty@0ccb265) IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules ... * [`a6aeb6d`](netty/netty@a6aeb6d) Resolve all localhost addresses without querying DNS servers ([#16749](https://redirect.github.com/netty/netty/issues/16749)) * [`c328ba2`](netty/netty@c328ba2) Fix ResumptionController wrapping ([#16815](https://redirect.github.com/netty/netty/issues/16815)) * [`bc5862b`](netty/netty@bc5862b) HTTP2: Use 100 as default max concurrent streams setting ([#16804](https://redirect.github.com/netty/netty/issues/16804)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.13.Final...netty-4.2.14.Final) Updates `io.netty:netty-handler` from 4.2.13.Final to 4.2.14.Final Release notes *Sourced from [io.netty:netty-handler's releases](https://github.com/netty/netty/releases).* > netty-4.2.14.Final > ------------------ > > What's Changed > -------------- > > * HTTP: Fix revapi failure introduced by 84530fa81e12dcd1d42310bb20c1385cb44128d8 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16748](https://redirect.github.com/netty/netty/pull/16748) > * HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16747](https://redirect.github.com/netty/netty/pull/16747) > * Marshalling: Explicit document security requirements by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16752](https://redirect.github.com/netty/netty/pull/16752) > * Fix io\_uring op completion TRACE logging by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16755](https://redirect.github.com/netty/netty/pull/16755) > * Quic: Ensure writes are done before notify close promise of QuicheQui… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16758](https://redirect.github.com/netty/netty/pull/16758) > * Avoid re-parsing openssl key material with non-cached provider by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16759](https://redirect.github.com/netty/netty/pull/16759) > * Pin HTTP/RTSP version + method normalization to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16765](https://redirect.github.com/netty/netty/pull/16765) > * Fill MsgHdrMemoryArray#hdrs with null entry on release by [`@tsegismont`](https://github.com/tsegismont) in [netty/netty#16764](https://redirect.github.com/netty/netty/pull/16764) > * Revapi: Use default "oldVersion" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16774](https://redirect.github.com/netty/netty/pull/16774) > * Adaptive: Fix concurrency issue in adaptive allocator by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16767](https://redirect.github.com/netty/netty/pull/16767) > * Auto-port 4.2: Make bulk byte moving in ByteBuf faster by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16781](https://redirect.github.com/netty/netty/pull/16781) > * Pin multipart Content-Type / Content-Transfer-Encoding case folding to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16768](https://redirect.github.com/netty/netty/pull/16768) > * Remove dead native declarations by [`@pandareen`](https://github.com/pandareen) in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * Isolate tests that modify available Security providers by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16793](https://redirect.github.com/netty/netty/pull/16793) > * Remove test annotations from a method that isn't a test by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16792](https://redirect.github.com/netty/netty/pull/16792) > * Enable OpenSslCachingKeyMaterialProvider to evict stale entries after cert rotation by [`@zhangweikop`](https://github.com/zhangweikop) in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * IoUring: extend user data from short to long by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16682](https://redirect.github.com/netty/netty/pull/16682) > * Revert CompositeByteBuf component search fast path by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16811](https://redirect.github.com/netty/netty/pull/16811) > * HTTP2: Use 100 as default max concurrent streams setting by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16804](https://redirect.github.com/netty/netty/pull/16804) > * Fix ResumptionController wrapping by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16815](https://redirect.github.com/netty/netty/pull/16815) > * Resolve all localhost addresses without querying DNS servers by [`@JulianVennen`](https://github.com/JulianVennen) in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16803](https://redirect.github.com/netty/netty/pull/16803) > * Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16788](https://redirect.github.com/netty/netty/pull/16788) > * Route synchronous onLookupComplete exceptions via fireExceptionCaught by [`@kwondh5217`](https://github.com/kwondh5217) in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * IoUring: Stop generic FileRegion drain loop when transferred() reaches count() by [`@LuciferYang`](https://github.com/LuciferYang) in [netty/netty#16826](https://redirect.github.com/netty/netty/pull/16826) > * MQTT: Allow MQTT 5 CONNECT with password only by [`@shblue21`](https://github.com/shblue21) in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > * Fix MQTT decoder size check after variable header replay by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16787](https://redirect.github.com/netty/netty/pull/16787) > > New Contributors > ---------------- > > * [`@pandareen`](https://github.com/pandareen) made their first contribution in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * [`@zhangweikop`](https://github.com/zhangweikop) made their first contribution in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * [`@JulianVennen`](https://github.com/JulianVennen) made their first contribution in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * [`@kwondh5217`](https://github.com/kwondh5217) made their first contribution in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * [`@shblue21`](https://github.com/shblue21) made their first contribution in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > > **Full Changelog**: <netty/netty@netty-4.2.13.Final...netty-4.2.14.Final> Commits * [`0a60b75`](netty/netty@0a60b75) [maven-release-plugin] prepare release netty-4.2.14.Final * [`72df658`](netty/netty@72df658) Fix MQTT decoder size check after variable header replay ([#16787](https://redirect.github.com/netty/netty/issues/16787)) * [`7125dba`](netty/netty@7125dba) MQTT: Allow MQTT 5 CONNECT with password only ([#16833](https://redirect.github.com/netty/netty/issues/16833)) * [`9e19320`](netty/netty@9e19320) IoUring: Stop generic FileRegion drain loop when transferred() reaches count(... * [`4ce9f17`](netty/netty@4ce9f17) Route synchronous onLookupComplete exceptions via fireExceptionCaught ([#16794](https://redirect.github.com/netty/netty/issues/16794)) * [`f7b1b7d`](netty/netty@f7b1b7d) Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe... * [`0ccb265`](netty/netty@0ccb265) IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules ... * [`a6aeb6d`](netty/netty@a6aeb6d) Resolve all localhost addresses without querying DNS servers ([#16749](https://redirect.github.com/netty/netty/issues/16749)) * [`c328ba2`](netty/netty@c328ba2) Fix ResumptionController wrapping ([#16815](https://redirect.github.com/netty/netty/issues/16815)) * [`bc5862b`](netty/netty@bc5862b) HTTP2: Use 100 as default max concurrent streams setting ([#16804](https://redirect.github.com/netty/netty/issues/16804)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.13.Final...netty-4.2.14.Final) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
mergify Bot
added a commit
to ArcadeData/arcadedb
that referenced
this pull request
May 24, 2026
…l [skip ci] Bumps [io.netty:netty-all](https://github.com/netty/netty) from 4.2.13.Final to 4.2.14.Final. Release notes *Sourced from [io.netty:netty-all's releases](https://github.com/netty/netty/releases).* > netty-4.2.14.Final > ------------------ > > What's Changed > -------------- > > * HTTP: Fix revapi failure introduced by 84530fa81e12dcd1d42310bb20c1385cb44128d8 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16748](https://redirect.github.com/netty/netty/pull/16748) > * HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16747](https://redirect.github.com/netty/netty/pull/16747) > * Marshalling: Explicit document security requirements by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16752](https://redirect.github.com/netty/netty/pull/16752) > * Fix io\_uring op completion TRACE logging by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16755](https://redirect.github.com/netty/netty/pull/16755) > * Quic: Ensure writes are done before notify close promise of QuicheQui… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16758](https://redirect.github.com/netty/netty/pull/16758) > * Avoid re-parsing openssl key material with non-cached provider by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16759](https://redirect.github.com/netty/netty/pull/16759) > * Pin HTTP/RTSP version + method normalization to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16765](https://redirect.github.com/netty/netty/pull/16765) > * Fill MsgHdrMemoryArray#hdrs with null entry on release by [`@tsegismont`](https://github.com/tsegismont) in [netty/netty#16764](https://redirect.github.com/netty/netty/pull/16764) > * Revapi: Use default "oldVersion" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16774](https://redirect.github.com/netty/netty/pull/16774) > * Adaptive: Fix concurrency issue in adaptive allocator by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16767](https://redirect.github.com/netty/netty/pull/16767) > * Auto-port 4.2: Make bulk byte moving in ByteBuf faster by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16781](https://redirect.github.com/netty/netty/pull/16781) > * Pin multipart Content-Type / Content-Transfer-Encoding case folding to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16768](https://redirect.github.com/netty/netty/pull/16768) > * Remove dead native declarations by [`@pandareen`](https://github.com/pandareen) in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * Isolate tests that modify available Security providers by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16793](https://redirect.github.com/netty/netty/pull/16793) > * Remove test annotations from a method that isn't a test by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16792](https://redirect.github.com/netty/netty/pull/16792) > * Enable OpenSslCachingKeyMaterialProvider to evict stale entries after cert rotation by [`@zhangweikop`](https://github.com/zhangweikop) in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * IoUring: extend user data from short to long by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16682](https://redirect.github.com/netty/netty/pull/16682) > * Revert CompositeByteBuf component search fast path by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16811](https://redirect.github.com/netty/netty/pull/16811) > * HTTP2: Use 100 as default max concurrent streams setting by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16804](https://redirect.github.com/netty/netty/pull/16804) > * Fix ResumptionController wrapping by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16815](https://redirect.github.com/netty/netty/pull/16815) > * Resolve all localhost addresses without querying DNS servers by [`@JulianVennen`](https://github.com/JulianVennen) in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16803](https://redirect.github.com/netty/netty/pull/16803) > * Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16788](https://redirect.github.com/netty/netty/pull/16788) > * Route synchronous onLookupComplete exceptions via fireExceptionCaught by [`@kwondh5217`](https://github.com/kwondh5217) in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * IoUring: Stop generic FileRegion drain loop when transferred() reaches count() by [`@LuciferYang`](https://github.com/LuciferYang) in [netty/netty#16826](https://redirect.github.com/netty/netty/pull/16826) > * MQTT: Allow MQTT 5 CONNECT with password only by [`@shblue21`](https://github.com/shblue21) in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > * Fix MQTT decoder size check after variable header replay by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16787](https://redirect.github.com/netty/netty/pull/16787) > > New Contributors > ---------------- > > * [`@pandareen`](https://github.com/pandareen) made their first contribution in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * [`@zhangweikop`](https://github.com/zhangweikop) made their first contribution in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * [`@JulianVennen`](https://github.com/JulianVennen) made their first contribution in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * [`@kwondh5217`](https://github.com/kwondh5217) made their first contribution in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * [`@shblue21`](https://github.com/shblue21) made their first contribution in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > > **Full Changelog**: <netty/netty@netty-4.2.13.Final...netty-4.2.14.Final> Commits * [`0a60b75`](netty/netty@0a60b75) [maven-release-plugin] prepare release netty-4.2.14.Final * [`72df658`](netty/netty@72df658) Fix MQTT decoder size check after variable header replay ([#16787](https://redirect.github.com/netty/netty/issues/16787)) * [`7125dba`](netty/netty@7125dba) MQTT: Allow MQTT 5 CONNECT with password only ([#16833](https://redirect.github.com/netty/netty/issues/16833)) * [`9e19320`](netty/netty@9e19320) IoUring: Stop generic FileRegion drain loop when transferred() reaches count(... * [`4ce9f17`](netty/netty@4ce9f17) Route synchronous onLookupComplete exceptions via fireExceptionCaught ([#16794](https://redirect.github.com/netty/netty/issues/16794)) * [`f7b1b7d`](netty/netty@f7b1b7d) Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe... * [`0ccb265`](netty/netty@0ccb265) IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules ... * [`a6aeb6d`](netty/netty@a6aeb6d) Resolve all localhost addresses without querying DNS servers ([#16749](https://redirect.github.com/netty/netty/issues/16749)) * [`c328ba2`](netty/netty@c328ba2) Fix ResumptionController wrapping ([#16815](https://redirect.github.com/netty/netty/issues/16815)) * [`bc5862b`](netty/netty@bc5862b) HTTP2: Use 100 as default max concurrent streams setting ([#16804](https://redirect.github.com/netty/netty/issues/16804)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.13.Final...netty-4.2.14.Final) [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation:
The current
OpenSslCachingKeyMaterialProviderdoes not evict stale entries after a cert rotation.This is related to a performance concern when using grpc-java (grpc/grpc-java#12670)
Modification:
Added
evictStaleEntries(), which removes cached entries whose alias is no longer recognized by theX509KeyManager. It is called on a cache miss when new material is successfully loaded, so stale entries from rotated credentials are pruned before inserting the new one.Result:
Better support for cert rotation.
Related discussion:
grpc/grpc-java#12686
grpc/grpc-java#12670