Expose QuicSslContextBuilder::sni#16178
Merged
normanmaurer merged 3 commits intonetty:4.2from Feb 16, 2026
Merged
Conversation
Member
|
@ZeroErrors thanks a lot! |
normanmaurer
added a commit
that referenced
this pull request
Feb 16, 2026
**Motivation:**
In order to be able to receive the `SniCompletionEvent` sni mapping
needs to be used, however, the function
`QuicSslContextBuilder::buildForServerWithSni` doesn't allow setting
`ClientAuth` and alternativly the builder doesn't allow setting the SNI
mapping.
This means there is currently no way to use both SNI mapping and
support/enforce client certs with QUIC.
**Modification:**
Expose the `QuicSslContextBuilder::sni` so that its possible to create a
`QuicSslContext` with SNI mapping alongside other settings.
Also adds `QuicChannelConnectTest::testSniWithClientAuth` to validate
**Result:**
The following then works to allow both receiving the
`SniCompletionEvent` and require a client cert
```
// Build context with clientAuth and trustManager configured
QuicSslContext sniContext = QuicSslContextBuilder.forServer(key, null, cert)
.applicationProtocols("alpn/1")
.clientAuth(ClientAuth.REQUIRE)
// ...
.build();
// Create SNI-enabled context using the builder's sni() method
QuicSslContext serverContext = QuicSslContextBuilder.forServer(key, null, cert)
.clientAuth(ClientAuth.REQUIRE)
.sni(hostname -> sniContext)
.build();
```
Co-authored-by: Norman Maurer <norman_maurer@apple.com>
normanmaurer
added a commit
to netty/netty-incubator-codec-quic
that referenced
this pull request
Feb 17, 2026
**Motivation:**
In order to be able to receive the `SniCompletionEvent` sni mapping
needs to be used, however, the function
`QuicSslContextBuilder::buildForServerWithSni` doesn't allow setting
`ClientAuth` and alternativly the builder doesn't allow setting the SNI
mapping.
This means there is currently no way to use both SNI mapping and
support/enforce client certs with QUIC.
**Modification:**
Expose the `QuicSslContextBuilder::sni` so that its possible to create a
`QuicSslContext` with SNI mapping alongside other settings.
Also adds `QuicChannelConnectTest::testSniWithClientAuth` to validate
**Result:**
The following then works to allow both receiving the
`SniCompletionEvent` and require a client cert
```
// Build context with clientAuth and trustManager configured
QuicSslContext sniContext = QuicSslContextBuilder.forServer(key, null, cert)
.applicationProtocols("alpn/1")
.clientAuth(ClientAuth.REQUIRE)
// ...
.build();
// Create SNI-enabled context using the builder's sni() method
QuicSslContext serverContext = QuicSslContextBuilder.forServer(key, null, cert)
.clientAuth(ClientAuth.REQUIRE)
.sni(hostname -> sniContext)
.build();
```
Port of netty/netty#16178
normanmaurer
added a commit
to netty/netty-incubator-codec-quic
that referenced
this pull request
Feb 17, 2026
**Motivation:**
In order to be able to receive the `SniCompletionEvent` sni mapping
needs to be used, however, the function
`QuicSslContextBuilder::buildForServerWithSni` doesn't allow setting
`ClientAuth` and alternativly the builder doesn't allow setting the SNI
mapping.
This means there is currently no way to use both SNI mapping and
support/enforce client certs with QUIC.
**Modification:**
Expose the `QuicSslContextBuilder::sni` so that its possible to create a
`QuicSslContext` with SNI mapping alongside other settings.
Also adds `QuicChannelConnectTest::testSniWithClientAuth` to validate
**Result:**
The following then works to allow both receiving the
`SniCompletionEvent` and require a client cert
```
// Build context with clientAuth and trustManager configured
QuicSslContext sniContext = QuicSslContextBuilder.forServer(key, null, cert)
.applicationProtocols("alpn/1")
.clientAuth(ClientAuth.REQUIRE)
// ...
.build();
// Create SNI-enabled context using the builder's sni() method
QuicSslContext serverContext = QuicSslContextBuilder.forServer(key, null, cert)
.clientAuth(ClientAuth.REQUIRE)
.sni(hostname -> sniContext)
.build();
```
Port of netty/netty#16178
normanmaurer
added a commit
that referenced
this pull request
Feb 18, 2026
**Motivation:**
In order to be able to receive the `SniCompletionEvent` sni mapping
needs to be used, however, the function
`QuicSslContextBuilder::buildForServerWithSni` doesn't allow setting
`ClientAuth` and alternativly the builder doesn't allow setting the SNI
mapping.
This means there is currently no way to use both SNI mapping and
support/enforce client certs with QUIC.
**Modification:**
Expose the `QuicSslContextBuilder::sni` so that its possible to create a
`QuicSslContext` with SNI mapping alongside other settings.
Also adds `QuicChannelConnectTest::testSniWithClientAuth` to validate
**Result:**
The following then works to allow both receiving the
`SniCompletionEvent` and require a client cert
```
// Build context with clientAuth and trustManager configured
QuicSslContext sniContext = QuicSslContextBuilder.forServer(key, null, cert)
.applicationProtocols("alpn/1")
.clientAuth(ClientAuth.REQUIRE)
// ...
.build();
// Create SNI-enabled context using the builder's sni() method
QuicSslContext serverContext = QuicSslContextBuilder.forServer(key, null, cert)
.clientAuth(ClientAuth.REQUIRE)
.sni(hostname -> sniContext)
.build();
```
---------
Co-authored-by: Zero <1109304+ZeroErrors@users.noreply.github.com>
mergify bot
added a commit
to ArcadeData/arcadedb
that referenced
this pull request
Mar 29, 2026
…l [skip ci] Bumps [io.netty:netty-all](https://github.com/netty/netty) from 4.2.10.Final to 4.2.12.Final. Release notes *Sourced from [io.netty:netty-all's releases](https://github.com/netty/netty/releases).* > netty-4.2.12.Final > ------------------ > > What's Changed > -------------- > > * Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16550](https://redirect.github.com/netty/netty/pull/16550) > > **Full Changelog**: <netty/netty@netty-4.2.11.Final...netty-4.2.12.Final> > > netty-4.2.11.Final > ------------------ > > Security > -------- > > * CVE-2026-33871, [HTTP/2 CONTINUATION Frame Flood Denial of Service](GHSA-w9fj-cfpg-grvv) > * CVE-2026-33870, [HTTP Request Smuggling via Chunked Extension Quoted-String Parsing](GHSA-pwqr-wmgm-9rr8) > > What's Changed > -------------- > > * Update to latest JDK 26 EA release by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16230](https://redirect.github.com/netty/netty/pull/16230) > * HTTP3: Allow to support non-standard HTTP3 settings by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16171](https://redirect.github.com/netty/netty/pull/16171) > * Fix Incorrect nanos-to-millis conversion in epoll\_wait EINTR retry loop by [`@adwsingh`](https://github.com/adwsingh) in [netty/netty#16245](https://redirect.github.com/netty/netty/pull/16245) > * Allocate one large segment and slice for each MsgHdrMemory by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16234](https://redirect.github.com/netty/netty/pull/16234) > * Make RefCntOpenSslContext.deallocate more robust by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16253](https://redirect.github.com/netty/netty/pull/16253) > * Epoll: Fix excessive CPU usage when Channel is only registered but no… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16250](https://redirect.github.com/netty/netty/pull/16250) > * Update to gcc for arm 10.3-2021.07 by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16255](https://redirect.github.com/netty/netty/pull/16255) > * Add acmeIdentifier extension support to pkitesting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16256](https://redirect.github.com/netty/netty/pull/16256) > * Update JDK versions to latest patch releases by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16254](https://redirect.github.com/netty/netty/pull/16254) > * Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by [`@doom369`](https://github.com/doom369) in [netty/netty#16241](https://redirect.github.com/netty/netty/pull/16241) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16269](https://redirect.github.com/netty/netty/pull/16269) > * Revert "Automatic backporting workflow from 4.1 to 4.2" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16270](https://redirect.github.com/netty/netty/pull/16270) > * HTTP2: Correctly account for padding when decompress by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16264](https://redirect.github.com/netty/netty/pull/16264) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16271](https://redirect.github.com/netty/netty/pull/16271) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16273](https://redirect.github.com/netty/netty/pull/16273) > * Backport PRs must be created with personal access tokens by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16276](https://redirect.github.com/netty/netty/pull/16276) > * Expose QuicSslContextBuilder::sni by [`@ZeroErrors`](https://github.com/ZeroErrors) in [netty/netty#16178](https://redirect.github.com/netty/netty/pull/16178) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16275](https://redirect.github.com/netty/netty/pull/16275) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16283](https://redirect.github.com/netty/netty/pull/16283) > * Remove the unpooled allocator from test permutations by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16282](https://redirect.github.com/netty/netty/pull/16282) > * Some polishing of the porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16288](https://redirect.github.com/netty/netty/pull/16288) > * Allow to set destination connection id when creating a client side QuicheChannel by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16286](https://redirect.github.com/netty/netty/pull/16286) > * Update to latest JDK26 EA build by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16295](https://redirect.github.com/netty/netty/pull/16295) > * Add javadoc to clarify responsibility of the user when generating the remote connection id by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16293](https://redirect.github.com/netty/netty/pull/16293) > * Make the build run faster by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16290](https://redirect.github.com/netty/netty/pull/16290) > * Fix IDE warnings in SslHandler by [`@doom369`](https://github.com/doom369) in [netty/netty#16237](https://redirect.github.com/netty/netty/pull/16237) > * Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by [`@doom369`](https://github.com/doom369) in [netty/netty#16242](https://redirect.github.com/netty/netty/pull/16242) > * Support boringssl SSLCredential API by [`@jmcrawford45`](https://github.com/jmcrawford45) in [netty/netty#15919](https://redirect.github.com/netty/netty/pull/15919) > * Fix high-order bit aliasing in HttpUtil.validateToken by [`@furkanvarol`](https://github.com/furkanvarol) in [netty/netty#16279](https://redirect.github.com/netty/netty/pull/16279) > * Improve multi-byte access performance when UNALIGNED availability is unknown by [`@Songdoeon`](https://github.com/Songdoeon) in [netty/netty#16207](https://redirect.github.com/netty/netty/pull/16207) > * Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by [`@doom369`](https://github.com/doom369) in [netty/netty#16278](https://redirect.github.com/netty/netty/pull/16278) > * Support more branch freedom for auto-porting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16300](https://redirect.github.com/netty/netty/pull/16300) > * fix: the precedence of + is higher than >> by [`@cuiweixie`](https://github.com/cuiweixie) in [netty/netty#16312](https://redirect.github.com/netty/netty/pull/16312) > * AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by [`@laosijikaichele`](https://github.com/laosijikaichele) in [netty/netty#16309](https://redirect.github.com/netty/netty/pull/16309) > * Fix flaky PooledByteBufAllocatorTest by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16313](https://redirect.github.com/netty/netty/pull/16313) > * Fix pooled arena accounting tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16321](https://redirect.github.com/netty/netty/pull/16321) ... (truncated) Commits * [`67ce541`](netty/netty@67ce541) [maven-release-plugin] prepare release netty-4.2.12.Final * [`7074624`](netty/netty@7074624) Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`c3b0a43`](netty/netty@c3b0a43) [maven-release-plugin] prepare for next development iteration * [`c94a818`](netty/netty@c94a818) [maven-release-plugin] prepare release netty-4.2.11.Final * [`3b76df1`](netty/netty@3b76df1) Merge commit from fork * [`aae944a`](netty/netty@aae944a) Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`6001499`](netty/netty@6001499) Eliminate redundant bounds checks in CompositeByteBuf accessors ([#16525](https://redirect.github.com/netty/netty/issues/16525)) * [`a7fbb6f`](netty/netty@a7fbb6f) JdkZlibDecoder: accumulate decompressed output before firing channelRead ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`7937553`](netty/netty@7937553) Enforce io.netty.maxDirectMemory accounting on all Java versions ([#16489](https://redirect.github.com/netty/netty/issues/16489)) * [`893ea2e`](netty/netty@893ea2e) Allocate less in QueryStringDecoder.addParam for typical use case ([#16527](https://redirect.github.com/netty/netty/issues/16527)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.10.Final...netty-4.2.12.Final) [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
mergify bot
added a commit
to ArcadeData/arcadedb
that referenced
this pull request
Mar 29, 2026
…ip ci] Bumps `netty.version` from 4.2.10.Final to 4.2.12.Final. Updates `io.netty:netty-transport` from 4.2.10.Final to 4.2.12.Final Release notes *Sourced from [io.netty:netty-transport's releases](https://github.com/netty/netty/releases).* > netty-4.2.12.Final > ------------------ > > What's Changed > -------------- > > * Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16550](https://redirect.github.com/netty/netty/pull/16550) > > **Full Changelog**: <netty/netty@netty-4.2.11.Final...netty-4.2.12.Final> > > netty-4.2.11.Final > ------------------ > > Security > -------- > > * CVE-2026-33871, [HTTP/2 CONTINUATION Frame Flood Denial of Service](GHSA-w9fj-cfpg-grvv) > * CVE-2026-33870, [HTTP Request Smuggling via Chunked Extension Quoted-String Parsing](GHSA-pwqr-wmgm-9rr8) > > What's Changed > -------------- > > * Update to latest JDK 26 EA release by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16230](https://redirect.github.com/netty/netty/pull/16230) > * HTTP3: Allow to support non-standard HTTP3 settings by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16171](https://redirect.github.com/netty/netty/pull/16171) > * Fix Incorrect nanos-to-millis conversion in epoll\_wait EINTR retry loop by [`@adwsingh`](https://github.com/adwsingh) in [netty/netty#16245](https://redirect.github.com/netty/netty/pull/16245) > * Allocate one large segment and slice for each MsgHdrMemory by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16234](https://redirect.github.com/netty/netty/pull/16234) > * Make RefCntOpenSslContext.deallocate more robust by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16253](https://redirect.github.com/netty/netty/pull/16253) > * Epoll: Fix excessive CPU usage when Channel is only registered but no… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16250](https://redirect.github.com/netty/netty/pull/16250) > * Update to gcc for arm 10.3-2021.07 by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16255](https://redirect.github.com/netty/netty/pull/16255) > * Add acmeIdentifier extension support to pkitesting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16256](https://redirect.github.com/netty/netty/pull/16256) > * Update JDK versions to latest patch releases by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16254](https://redirect.github.com/netty/netty/pull/16254) > * Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by [`@doom369`](https://github.com/doom369) in [netty/netty#16241](https://redirect.github.com/netty/netty/pull/16241) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16269](https://redirect.github.com/netty/netty/pull/16269) > * Revert "Automatic backporting workflow from 4.1 to 4.2" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16270](https://redirect.github.com/netty/netty/pull/16270) > * HTTP2: Correctly account for padding when decompress by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16264](https://redirect.github.com/netty/netty/pull/16264) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16271](https://redirect.github.com/netty/netty/pull/16271) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16273](https://redirect.github.com/netty/netty/pull/16273) > * Backport PRs must be created with personal access tokens by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16276](https://redirect.github.com/netty/netty/pull/16276) > * Expose QuicSslContextBuilder::sni by [`@ZeroErrors`](https://github.com/ZeroErrors) in [netty/netty#16178](https://redirect.github.com/netty/netty/pull/16178) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16275](https://redirect.github.com/netty/netty/pull/16275) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16283](https://redirect.github.com/netty/netty/pull/16283) > * Remove the unpooled allocator from test permutations by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16282](https://redirect.github.com/netty/netty/pull/16282) > * Some polishing of the porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16288](https://redirect.github.com/netty/netty/pull/16288) > * Allow to set destination connection id when creating a client side QuicheChannel by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16286](https://redirect.github.com/netty/netty/pull/16286) > * Update to latest JDK26 EA build by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16295](https://redirect.github.com/netty/netty/pull/16295) > * Add javadoc to clarify responsibility of the user when generating the remote connection id by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16293](https://redirect.github.com/netty/netty/pull/16293) > * Make the build run faster by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16290](https://redirect.github.com/netty/netty/pull/16290) > * Fix IDE warnings in SslHandler by [`@doom369`](https://github.com/doom369) in [netty/netty#16237](https://redirect.github.com/netty/netty/pull/16237) > * Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by [`@doom369`](https://github.com/doom369) in [netty/netty#16242](https://redirect.github.com/netty/netty/pull/16242) > * Support boringssl SSLCredential API by [`@jmcrawford45`](https://github.com/jmcrawford45) in [netty/netty#15919](https://redirect.github.com/netty/netty/pull/15919) > * Fix high-order bit aliasing in HttpUtil.validateToken by [`@furkanvarol`](https://github.com/furkanvarol) in [netty/netty#16279](https://redirect.github.com/netty/netty/pull/16279) > * Improve multi-byte access performance when UNALIGNED availability is unknown by [`@Songdoeon`](https://github.com/Songdoeon) in [netty/netty#16207](https://redirect.github.com/netty/netty/pull/16207) > * Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by [`@doom369`](https://github.com/doom369) in [netty/netty#16278](https://redirect.github.com/netty/netty/pull/16278) > * Support more branch freedom for auto-porting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16300](https://redirect.github.com/netty/netty/pull/16300) > * fix: the precedence of + is higher than >> by [`@cuiweixie`](https://github.com/cuiweixie) in [netty/netty#16312](https://redirect.github.com/netty/netty/pull/16312) > * AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by [`@laosijikaichele`](https://github.com/laosijikaichele) in [netty/netty#16309](https://redirect.github.com/netty/netty/pull/16309) > * Fix flaky PooledByteBufAllocatorTest by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16313](https://redirect.github.com/netty/netty/pull/16313) > * Fix pooled arena accounting tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16321](https://redirect.github.com/netty/netty/pull/16321) ... (truncated) Commits * [`67ce541`](netty/netty@67ce541) [maven-release-plugin] prepare release netty-4.2.12.Final * [`7074624`](netty/netty@7074624) Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`c3b0a43`](netty/netty@c3b0a43) [maven-release-plugin] prepare for next development iteration * [`c94a818`](netty/netty@c94a818) [maven-release-plugin] prepare release netty-4.2.11.Final * [`3b76df1`](netty/netty@3b76df1) Merge commit from fork * [`aae944a`](netty/netty@aae944a) Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`6001499`](netty/netty@6001499) Eliminate redundant bounds checks in CompositeByteBuf accessors ([#16525](https://redirect.github.com/netty/netty/issues/16525)) * [`a7fbb6f`](netty/netty@a7fbb6f) JdkZlibDecoder: accumulate decompressed output before firing channelRead ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`7937553`](netty/netty@7937553) Enforce io.netty.maxDirectMemory accounting on all Java versions ([#16489](https://redirect.github.com/netty/netty/issues/16489)) * [`893ea2e`](netty/netty@893ea2e) Allocate less in QueryStringDecoder.addParam for typical use case ([#16527](https://redirect.github.com/netty/netty/issues/16527)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.10.Final...netty-4.2.12.Final) Updates `io.netty:netty-codec` from 4.2.10.Final to 4.2.12.Final Release notes *Sourced from [io.netty:netty-codec's releases](https://github.com/netty/netty/releases).* > netty-4.2.12.Final > ------------------ > > What's Changed > -------------- > > * Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16550](https://redirect.github.com/netty/netty/pull/16550) > > **Full Changelog**: <netty/netty@netty-4.2.11.Final...netty-4.2.12.Final> > > netty-4.2.11.Final > ------------------ > > Security > -------- > > * CVE-2026-33871, [HTTP/2 CONTINUATION Frame Flood Denial of Service](GHSA-w9fj-cfpg-grvv) > * CVE-2026-33870, [HTTP Request Smuggling via Chunked Extension Quoted-String Parsing](GHSA-pwqr-wmgm-9rr8) > > What's Changed > -------------- > > * Update to latest JDK 26 EA release by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16230](https://redirect.github.com/netty/netty/pull/16230) > * HTTP3: Allow to support non-standard HTTP3 settings by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16171](https://redirect.github.com/netty/netty/pull/16171) > * Fix Incorrect nanos-to-millis conversion in epoll\_wait EINTR retry loop by [`@adwsingh`](https://github.com/adwsingh) in [netty/netty#16245](https://redirect.github.com/netty/netty/pull/16245) > * Allocate one large segment and slice for each MsgHdrMemory by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16234](https://redirect.github.com/netty/netty/pull/16234) > * Make RefCntOpenSslContext.deallocate more robust by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16253](https://redirect.github.com/netty/netty/pull/16253) > * Epoll: Fix excessive CPU usage when Channel is only registered but no… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16250](https://redirect.github.com/netty/netty/pull/16250) > * Update to gcc for arm 10.3-2021.07 by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16255](https://redirect.github.com/netty/netty/pull/16255) > * Add acmeIdentifier extension support to pkitesting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16256](https://redirect.github.com/netty/netty/pull/16256) > * Update JDK versions to latest patch releases by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16254](https://redirect.github.com/netty/netty/pull/16254) > * Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by [`@doom369`](https://github.com/doom369) in [netty/netty#16241](https://redirect.github.com/netty/netty/pull/16241) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16269](https://redirect.github.com/netty/netty/pull/16269) > * Revert "Automatic backporting workflow from 4.1 to 4.2" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16270](https://redirect.github.com/netty/netty/pull/16270) > * HTTP2: Correctly account for padding when decompress by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16264](https://redirect.github.com/netty/netty/pull/16264) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16271](https://redirect.github.com/netty/netty/pull/16271) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16273](https://redirect.github.com/netty/netty/pull/16273) > * Backport PRs must be created with personal access tokens by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16276](https://redirect.github.com/netty/netty/pull/16276) > * Expose QuicSslContextBuilder::sni by [`@ZeroErrors`](https://github.com/ZeroErrors) in [netty/netty#16178](https://redirect.github.com/netty/netty/pull/16178) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16275](https://redirect.github.com/netty/netty/pull/16275) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16283](https://redirect.github.com/netty/netty/pull/16283) > * Remove the unpooled allocator from test permutations by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16282](https://redirect.github.com/netty/netty/pull/16282) > * Some polishing of the porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16288](https://redirect.github.com/netty/netty/pull/16288) > * Allow to set destination connection id when creating a client side QuicheChannel by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16286](https://redirect.github.com/netty/netty/pull/16286) > * Update to latest JDK26 EA build by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16295](https://redirect.github.com/netty/netty/pull/16295) > * Add javadoc to clarify responsibility of the user when generating the remote connection id by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16293](https://redirect.github.com/netty/netty/pull/16293) > * Make the build run faster by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16290](https://redirect.github.com/netty/netty/pull/16290) > * Fix IDE warnings in SslHandler by [`@doom369`](https://github.com/doom369) in [netty/netty#16237](https://redirect.github.com/netty/netty/pull/16237) > * Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by [`@doom369`](https://github.com/doom369) in [netty/netty#16242](https://redirect.github.com/netty/netty/pull/16242) > * Support boringssl SSLCredential API by [`@jmcrawford45`](https://github.com/jmcrawford45) in [netty/netty#15919](https://redirect.github.com/netty/netty/pull/15919) > * Fix high-order bit aliasing in HttpUtil.validateToken by [`@furkanvarol`](https://github.com/furkanvarol) in [netty/netty#16279](https://redirect.github.com/netty/netty/pull/16279) > * Improve multi-byte access performance when UNALIGNED availability is unknown by [`@Songdoeon`](https://github.com/Songdoeon) in [netty/netty#16207](https://redirect.github.com/netty/netty/pull/16207) > * Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by [`@doom369`](https://github.com/doom369) in [netty/netty#16278](https://redirect.github.com/netty/netty/pull/16278) > * Support more branch freedom for auto-porting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16300](https://redirect.github.com/netty/netty/pull/16300) > * fix: the precedence of + is higher than >> by [`@cuiweixie`](https://github.com/cuiweixie) in [netty/netty#16312](https://redirect.github.com/netty/netty/pull/16312) > * AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by [`@laosijikaichele`](https://github.com/laosijikaichele) in [netty/netty#16309](https://redirect.github.com/netty/netty/pull/16309) > * Fix flaky PooledByteBufAllocatorTest by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16313](https://redirect.github.com/netty/netty/pull/16313) > * Fix pooled arena accounting tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16321](https://redirect.github.com/netty/netty/pull/16321) ... (truncated) Commits * [`67ce541`](netty/netty@67ce541) [maven-release-plugin] prepare release netty-4.2.12.Final * [`7074624`](netty/netty@7074624) Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`c3b0a43`](netty/netty@c3b0a43) [maven-release-plugin] prepare for next development iteration * [`c94a818`](netty/netty@c94a818) [maven-release-plugin] prepare release netty-4.2.11.Final * [`3b76df1`](netty/netty@3b76df1) Merge commit from fork * [`aae944a`](netty/netty@aae944a) Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`6001499`](netty/netty@6001499) Eliminate redundant bounds checks in CompositeByteBuf accessors ([#16525](https://redirect.github.com/netty/netty/issues/16525)) * [`a7fbb6f`](netty/netty@a7fbb6f) JdkZlibDecoder: accumulate decompressed output before firing channelRead ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`7937553`](netty/netty@7937553) Enforce io.netty.maxDirectMemory accounting on all Java versions ([#16489](https://redirect.github.com/netty/netty/issues/16489)) * [`893ea2e`](netty/netty@893ea2e) Allocate less in QueryStringDecoder.addParam for typical use case ([#16527](https://redirect.github.com/netty/netty/issues/16527)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.10.Final...netty-4.2.12.Final) Updates `io.netty:netty-handler` from 4.2.10.Final to 4.2.12.Final Release notes *Sourced from [io.netty:netty-handler's releases](https://github.com/netty/netty/releases).* > netty-4.2.12.Final > ------------------ > > What's Changed > -------------- > > * Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16550](https://redirect.github.com/netty/netty/pull/16550) > > **Full Changelog**: <netty/netty@netty-4.2.11.Final...netty-4.2.12.Final> > > netty-4.2.11.Final > ------------------ > > Security > -------- > > * CVE-2026-33871, [HTTP/2 CONTINUATION Frame Flood Denial of Service](GHSA-w9fj-cfpg-grvv) > * CVE-2026-33870, [HTTP Request Smuggling via Chunked Extension Quoted-String Parsing](GHSA-pwqr-wmgm-9rr8) > > What's Changed > -------------- > > * Update to latest JDK 26 EA release by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16230](https://redirect.github.com/netty/netty/pull/16230) > * HTTP3: Allow to support non-standard HTTP3 settings by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16171](https://redirect.github.com/netty/netty/pull/16171) > * Fix Incorrect nanos-to-millis conversion in epoll\_wait EINTR retry loop by [`@adwsingh`](https://github.com/adwsingh) in [netty/netty#16245](https://redirect.github.com/netty/netty/pull/16245) > * Allocate one large segment and slice for each MsgHdrMemory by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16234](https://redirect.github.com/netty/netty/pull/16234) > * Make RefCntOpenSslContext.deallocate more robust by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16253](https://redirect.github.com/netty/netty/pull/16253) > * Epoll: Fix excessive CPU usage when Channel is only registered but no… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16250](https://redirect.github.com/netty/netty/pull/16250) > * Update to gcc for arm 10.3-2021.07 by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16255](https://redirect.github.com/netty/netty/pull/16255) > * Add acmeIdentifier extension support to pkitesting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16256](https://redirect.github.com/netty/netty/pull/16256) > * Update JDK versions to latest patch releases by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16254](https://redirect.github.com/netty/netty/pull/16254) > * Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by [`@doom369`](https://github.com/doom369) in [netty/netty#16241](https://redirect.github.com/netty/netty/pull/16241) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16269](https://redirect.github.com/netty/netty/pull/16269) > * Revert "Automatic backporting workflow from 4.1 to 4.2" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16270](https://redirect.github.com/netty/netty/pull/16270) > * HTTP2: Correctly account for padding when decompress by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16264](https://redirect.github.com/netty/netty/pull/16264) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16271](https://redirect.github.com/netty/netty/pull/16271) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16273](https://redirect.github.com/netty/netty/pull/16273) > * Backport PRs must be created with personal access tokens by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16276](https://redirect.github.com/netty/netty/pull/16276) > * Expose QuicSslContextBuilder::sni by [`@ZeroErrors`](https://github.com/ZeroErrors) in [netty/netty#16178](https://redirect.github.com/netty/netty/pull/16178) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16275](https://redirect.github.com/netty/netty/pull/16275) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16283](https://redirect.github.com/netty/netty/pull/16283) > * Remove the unpooled allocator from test permutations by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16282](https://redirect.github.com/netty/netty/pull/16282) > * Some polishing of the porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16288](https://redirect.github.com/netty/netty/pull/16288) > * Allow to set destination connection id when creating a client side QuicheChannel by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16286](https://redirect.github.com/netty/netty/pull/16286) > * Update to latest JDK26 EA build by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16295](https://redirect.github.com/netty/netty/pull/16295) > * Add javadoc to clarify responsibility of the user when generating the remote connection id by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16293](https://redirect.github.com/netty/netty/pull/16293) > * Make the build run faster by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16290](https://redirect.github.com/netty/netty/pull/16290) > * Fix IDE warnings in SslHandler by [`@doom369`](https://github.com/doom369) in [netty/netty#16237](https://redirect.github.com/netty/netty/pull/16237) > * Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by [`@doom369`](https://github.com/doom369) in [netty/netty#16242](https://redirect.github.com/netty/netty/pull/16242) > * Support boringssl SSLCredential API by [`@jmcrawford45`](https://github.com/jmcrawford45) in [netty/netty#15919](https://redirect.github.com/netty/netty/pull/15919) > * Fix high-order bit aliasing in HttpUtil.validateToken by [`@furkanvarol`](https://github.com/furkanvarol) in [netty/netty#16279](https://redirect.github.com/netty/netty/pull/16279) > * Improve multi-byte access performance when UNALIGNED availability is unknown by [`@Songdoeon`](https://github.com/Songdoeon) in [netty/netty#16207](https://redirect.github.com/netty/netty/pull/16207) > * Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by [`@doom369`](https://github.com/doom369) in [netty/netty#16278](https://redirect.github.com/netty/netty/pull/16278) > * Support more branch freedom for auto-porting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16300](https://redirect.github.com/netty/netty/pull/16300) > * fix: the precedence of + is higher than >> by [`@cuiweixie`](https://github.com/cuiweixie) in [netty/netty#16312](https://redirect.github.com/netty/netty/pull/16312) > * AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by [`@laosijikaichele`](https://github.com/laosijikaichele) in [netty/netty#16309](https://redirect.github.com/netty/netty/pull/16309) > * Fix flaky PooledByteBufAllocatorTest by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16313](https://redirect.github.com/netty/netty/pull/16313) > * Fix pooled arena accounting tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16321](https://redirect.github.com/netty/netty/pull/16321) ... (truncated) Commits * [`67ce541`](netty/netty@67ce541) [maven-release-plugin] prepare release netty-4.2.12.Final * [`7074624`](netty/netty@7074624) Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`c3b0a43`](netty/netty@c3b0a43) [maven-release-plugin] prepare for next development iteration * [`c94a818`](netty/netty@c94a818) [maven-release-plugin] prepare release netty-4.2.11.Final * [`3b76df1`](netty/netty@3b76df1) Merge commit from fork * [`aae944a`](netty/netty@aae944a) Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`6001499`](netty/netty@6001499) Eliminate redundant bounds checks in CompositeByteBuf accessors ([#16525](https://redirect.github.com/netty/netty/issues/16525)) * [`a7fbb6f`](netty/netty@a7fbb6f) JdkZlibDecoder: accumulate decompressed output before firing channelRead ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`7937553`](netty/netty@7937553) Enforce io.netty.maxDirectMemory accounting on all Java versions ([#16489](https://redirect.github.com/netty/netty/issues/16489)) * [`893ea2e`](netty/netty@893ea2e) Allocate less in QueryStringDecoder.addParam for typical use case ([#16527](https://redirect.github.com/netty/netty/issues/16527)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.10.Final...netty-4.2.12.Final) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation:
In order to be able to receive the
SniCompletionEventsni mapping needs to be used, however, the functionQuicSslContextBuilder::buildForServerWithSnidoesn't allow settingClientAuthand alternativly the builder doesn't allow setting the SNI mapping.This means there is currently no way to use both SNI mapping and support/enforce client certs with QUIC.
Modification:
Expose the
QuicSslContextBuilder::sniso that its possible to create aQuicSslContextwith SNI mapping alongside other settings.Also adds
QuicChannelConnectTest::testSniWithClientAuthto validateResult:
The following then works to allow both receiving the
SniCompletionEventand require a client cert