Avoid re-parsing openssl key material with non-cached provider#16759
Merged
Conversation
Motivation: The non-caching `OpenSslKeyMaterialProvider` must check with the `KeyManager` on every handshake, if the certificate and keys have changed. However, if they haven't then it is a waste of cycles to allocate, serialize, and parse the key material on every handshake. Modification: Add a single-entry cache of the key material and do an identity on the key and certificates after the `KeyManager` look-up. If there's a match, we can reuse the key material we created earlier. Many systems, particularly internal web services, only have a single key and certificate pair, so the single-entry cache will be very effective there. Result: Speeds up TLS handshakes when a server is configured with a `KeyManagerFactory` or `KeyManager`, and the key/cert pair isn't changing on every handshake.
Contributor
|
Auto-port PR for 5.0: #16761 |
chrisvest
added a commit
that referenced
this pull request
May 10, 2026
…provider (#16761) Auto-port of #16759 to 5.0 Cherry-picked commit: edffed0 --- Motivation: The non-caching `OpenSslKeyMaterialProvider` must check with the `KeyManager` on every handshake, if the certificate and keys have changed. However, if they haven't then it is a waste of cycles to allocate, serialize, and parse the key material on every handshake. Modification: Add a single-entry cache of the key material and do an identity on the key and certificates after the `KeyManager` look-up. If there's a match, we can reuse the key material we created earlier. Many systems, particularly internal web services, only have a single key and certificate pair, so the single-entry cache will be very effective there. Result: Speeds up TLS handshakes when a server is configured with a `KeyManagerFactory` or `KeyManager`, and the key/cert pair isn't changing on every handshake. Co-authored-by: Chris Vest <christianvest_hansen@apple.com>
Contributor
|
Could not create auto-port PR. |
Member
Author
|
Backport to 4.1: #16791 (someone asked for this) |
chrisvest
added a commit
that referenced
this pull request
May 11, 2026
… (#16791) Motivation: The non-caching `OpenSslKeyMaterialProvider` must check with the `KeyManager` on every handshake, if the certificate and keys have changed. However, if they haven't then it is a waste of cycles to allocate, serialize, and parse the key material on every handshake. Modification: Add a single-entry cache of the key material and do an identity on the key and certificates after the `KeyManager` look-up. If there's a match, we can reuse the key material we created earlier. Many systems, particularly internal web services, only have a single key and certificate pair, so the single-entry cache will be very effective there. Result: Speeds up TLS handshakes when a server is configured with a `KeyManagerFactory` or `KeyManager`, and the key/cert pair isn't changing on every handshake. (cherry picked from commit edffed0)
dongjoon-hyun
added a commit
to apache/spark-kubernetes-operator
that referenced
this pull request
May 22, 2026
### What changes were proposed in this pull request? This PR aims to upgrade `Netty` to 4.2.14.Final. ### Why are the changes needed? To bring the latest bug fixes and improvements. - https://netty.io/news/2026/05/20/4-2-14-Final.html - netty/netty#16747 - netty/netty#16759 - netty/netty#16767 - netty/netty#16781 - netty/netty#16788 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass the CIs. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Opus 4.7 Closes #689 from dongjoon-hyun/SPARK-57017. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
mergify Bot
added a commit
to ArcadeData/arcadedb
that referenced
this pull request
May 24, 2026
…ip ci] Bumps `netty.version` from 4.2.13.Final to 4.2.14.Final. Updates `io.netty:netty-transport` from 4.2.13.Final to 4.2.14.Final Release notes *Sourced from [io.netty:netty-transport's releases](https://github.com/netty/netty/releases).* > netty-4.2.14.Final > ------------------ > > What's Changed > -------------- > > * HTTP: Fix revapi failure introduced by 84530fa81e12dcd1d42310bb20c1385cb44128d8 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16748](https://redirect.github.com/netty/netty/pull/16748) > * HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16747](https://redirect.github.com/netty/netty/pull/16747) > * Marshalling: Explicit document security requirements by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16752](https://redirect.github.com/netty/netty/pull/16752) > * Fix io\_uring op completion TRACE logging by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16755](https://redirect.github.com/netty/netty/pull/16755) > * Quic: Ensure writes are done before notify close promise of QuicheQui… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16758](https://redirect.github.com/netty/netty/pull/16758) > * Avoid re-parsing openssl key material with non-cached provider by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16759](https://redirect.github.com/netty/netty/pull/16759) > * Pin HTTP/RTSP version + method normalization to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16765](https://redirect.github.com/netty/netty/pull/16765) > * Fill MsgHdrMemoryArray#hdrs with null entry on release by [`@tsegismont`](https://github.com/tsegismont) in [netty/netty#16764](https://redirect.github.com/netty/netty/pull/16764) > * Revapi: Use default "oldVersion" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16774](https://redirect.github.com/netty/netty/pull/16774) > * Adaptive: Fix concurrency issue in adaptive allocator by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16767](https://redirect.github.com/netty/netty/pull/16767) > * Auto-port 4.2: Make bulk byte moving in ByteBuf faster by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16781](https://redirect.github.com/netty/netty/pull/16781) > * Pin multipart Content-Type / Content-Transfer-Encoding case folding to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16768](https://redirect.github.com/netty/netty/pull/16768) > * Remove dead native declarations by [`@pandareen`](https://github.com/pandareen) in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * Isolate tests that modify available Security providers by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16793](https://redirect.github.com/netty/netty/pull/16793) > * Remove test annotations from a method that isn't a test by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16792](https://redirect.github.com/netty/netty/pull/16792) > * Enable OpenSslCachingKeyMaterialProvider to evict stale entries after cert rotation by [`@zhangweikop`](https://github.com/zhangweikop) in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * IoUring: extend user data from short to long by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16682](https://redirect.github.com/netty/netty/pull/16682) > * Revert CompositeByteBuf component search fast path by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16811](https://redirect.github.com/netty/netty/pull/16811) > * HTTP2: Use 100 as default max concurrent streams setting by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16804](https://redirect.github.com/netty/netty/pull/16804) > * Fix ResumptionController wrapping by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16815](https://redirect.github.com/netty/netty/pull/16815) > * Resolve all localhost addresses without querying DNS servers by [`@JulianVennen`](https://github.com/JulianVennen) in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16803](https://redirect.github.com/netty/netty/pull/16803) > * Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16788](https://redirect.github.com/netty/netty/pull/16788) > * Route synchronous onLookupComplete exceptions via fireExceptionCaught by [`@kwondh5217`](https://github.com/kwondh5217) in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * IoUring: Stop generic FileRegion drain loop when transferred() reaches count() by [`@LuciferYang`](https://github.com/LuciferYang) in [netty/netty#16826](https://redirect.github.com/netty/netty/pull/16826) > * MQTT: Allow MQTT 5 CONNECT with password only by [`@shblue21`](https://github.com/shblue21) in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > * Fix MQTT decoder size check after variable header replay by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16787](https://redirect.github.com/netty/netty/pull/16787) > > New Contributors > ---------------- > > * [`@pandareen`](https://github.com/pandareen) made their first contribution in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * [`@zhangweikop`](https://github.com/zhangweikop) made their first contribution in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * [`@JulianVennen`](https://github.com/JulianVennen) made their first contribution in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * [`@kwondh5217`](https://github.com/kwondh5217) made their first contribution in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * [`@shblue21`](https://github.com/shblue21) made their first contribution in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > > **Full Changelog**: <netty/netty@netty-4.2.13.Final...netty-4.2.14.Final> Commits * [`0a60b75`](netty/netty@0a60b75) [maven-release-plugin] prepare release netty-4.2.14.Final * [`72df658`](netty/netty@72df658) Fix MQTT decoder size check after variable header replay ([#16787](https://redirect.github.com/netty/netty/issues/16787)) * [`7125dba`](netty/netty@7125dba) MQTT: Allow MQTT 5 CONNECT with password only ([#16833](https://redirect.github.com/netty/netty/issues/16833)) * [`9e19320`](netty/netty@9e19320) IoUring: Stop generic FileRegion drain loop when transferred() reaches count(... * [`4ce9f17`](netty/netty@4ce9f17) Route synchronous onLookupComplete exceptions via fireExceptionCaught ([#16794](https://redirect.github.com/netty/netty/issues/16794)) * [`f7b1b7d`](netty/netty@f7b1b7d) Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe... * [`0ccb265`](netty/netty@0ccb265) IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules ... * [`a6aeb6d`](netty/netty@a6aeb6d) Resolve all localhost addresses without querying DNS servers ([#16749](https://redirect.github.com/netty/netty/issues/16749)) * [`c328ba2`](netty/netty@c328ba2) Fix ResumptionController wrapping ([#16815](https://redirect.github.com/netty/netty/issues/16815)) * [`bc5862b`](netty/netty@bc5862b) HTTP2: Use 100 as default max concurrent streams setting ([#16804](https://redirect.github.com/netty/netty/issues/16804)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.13.Final...netty-4.2.14.Final) Updates `io.netty:netty-codec` from 4.2.13.Final to 4.2.14.Final Release notes *Sourced from [io.netty:netty-codec's releases](https://github.com/netty/netty/releases).* > netty-4.2.14.Final > ------------------ > > What's Changed > -------------- > > * HTTP: Fix revapi failure introduced by 84530fa81e12dcd1d42310bb20c1385cb44128d8 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16748](https://redirect.github.com/netty/netty/pull/16748) > * HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16747](https://redirect.github.com/netty/netty/pull/16747) > * Marshalling: Explicit document security requirements by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16752](https://redirect.github.com/netty/netty/pull/16752) > * Fix io\_uring op completion TRACE logging by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16755](https://redirect.github.com/netty/netty/pull/16755) > * Quic: Ensure writes are done before notify close promise of QuicheQui… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16758](https://redirect.github.com/netty/netty/pull/16758) > * Avoid re-parsing openssl key material with non-cached provider by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16759](https://redirect.github.com/netty/netty/pull/16759) > * Pin HTTP/RTSP version + method normalization to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16765](https://redirect.github.com/netty/netty/pull/16765) > * Fill MsgHdrMemoryArray#hdrs with null entry on release by [`@tsegismont`](https://github.com/tsegismont) in [netty/netty#16764](https://redirect.github.com/netty/netty/pull/16764) > * Revapi: Use default "oldVersion" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16774](https://redirect.github.com/netty/netty/pull/16774) > * Adaptive: Fix concurrency issue in adaptive allocator by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16767](https://redirect.github.com/netty/netty/pull/16767) > * Auto-port 4.2: Make bulk byte moving in ByteBuf faster by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16781](https://redirect.github.com/netty/netty/pull/16781) > * Pin multipart Content-Type / Content-Transfer-Encoding case folding to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16768](https://redirect.github.com/netty/netty/pull/16768) > * Remove dead native declarations by [`@pandareen`](https://github.com/pandareen) in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * Isolate tests that modify available Security providers by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16793](https://redirect.github.com/netty/netty/pull/16793) > * Remove test annotations from a method that isn't a test by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16792](https://redirect.github.com/netty/netty/pull/16792) > * Enable OpenSslCachingKeyMaterialProvider to evict stale entries after cert rotation by [`@zhangweikop`](https://github.com/zhangweikop) in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * IoUring: extend user data from short to long by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16682](https://redirect.github.com/netty/netty/pull/16682) > * Revert CompositeByteBuf component search fast path by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16811](https://redirect.github.com/netty/netty/pull/16811) > * HTTP2: Use 100 as default max concurrent streams setting by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16804](https://redirect.github.com/netty/netty/pull/16804) > * Fix ResumptionController wrapping by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16815](https://redirect.github.com/netty/netty/pull/16815) > * Resolve all localhost addresses without querying DNS servers by [`@JulianVennen`](https://github.com/JulianVennen) in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16803](https://redirect.github.com/netty/netty/pull/16803) > * Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16788](https://redirect.github.com/netty/netty/pull/16788) > * Route synchronous onLookupComplete exceptions via fireExceptionCaught by [`@kwondh5217`](https://github.com/kwondh5217) in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * IoUring: Stop generic FileRegion drain loop when transferred() reaches count() by [`@LuciferYang`](https://github.com/LuciferYang) in [netty/netty#16826](https://redirect.github.com/netty/netty/pull/16826) > * MQTT: Allow MQTT 5 CONNECT with password only by [`@shblue21`](https://github.com/shblue21) in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > * Fix MQTT decoder size check after variable header replay by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16787](https://redirect.github.com/netty/netty/pull/16787) > > New Contributors > ---------------- > > * [`@pandareen`](https://github.com/pandareen) made their first contribution in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * [`@zhangweikop`](https://github.com/zhangweikop) made their first contribution in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * [`@JulianVennen`](https://github.com/JulianVennen) made their first contribution in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * [`@kwondh5217`](https://github.com/kwondh5217) made their first contribution in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * [`@shblue21`](https://github.com/shblue21) made their first contribution in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > > **Full Changelog**: <netty/netty@netty-4.2.13.Final...netty-4.2.14.Final> Commits * [`0a60b75`](netty/netty@0a60b75) [maven-release-plugin] prepare release netty-4.2.14.Final * [`72df658`](netty/netty@72df658) Fix MQTT decoder size check after variable header replay ([#16787](https://redirect.github.com/netty/netty/issues/16787)) * [`7125dba`](netty/netty@7125dba) MQTT: Allow MQTT 5 CONNECT with password only ([#16833](https://redirect.github.com/netty/netty/issues/16833)) * [`9e19320`](netty/netty@9e19320) IoUring: Stop generic FileRegion drain loop when transferred() reaches count(... * [`4ce9f17`](netty/netty@4ce9f17) Route synchronous onLookupComplete exceptions via fireExceptionCaught ([#16794](https://redirect.github.com/netty/netty/issues/16794)) * [`f7b1b7d`](netty/netty@f7b1b7d) Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe... * [`0ccb265`](netty/netty@0ccb265) IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules ... * [`a6aeb6d`](netty/netty@a6aeb6d) Resolve all localhost addresses without querying DNS servers ([#16749](https://redirect.github.com/netty/netty/issues/16749)) * [`c328ba2`](netty/netty@c328ba2) Fix ResumptionController wrapping ([#16815](https://redirect.github.com/netty/netty/issues/16815)) * [`bc5862b`](netty/netty@bc5862b) HTTP2: Use 100 as default max concurrent streams setting ([#16804](https://redirect.github.com/netty/netty/issues/16804)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.13.Final...netty-4.2.14.Final) Updates `io.netty:netty-handler` from 4.2.13.Final to 4.2.14.Final Release notes *Sourced from [io.netty:netty-handler's releases](https://github.com/netty/netty/releases).* > netty-4.2.14.Final > ------------------ > > What's Changed > -------------- > > * HTTP: Fix revapi failure introduced by 84530fa81e12dcd1d42310bb20c1385cb44128d8 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16748](https://redirect.github.com/netty/netty/pull/16748) > * HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16747](https://redirect.github.com/netty/netty/pull/16747) > * Marshalling: Explicit document security requirements by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16752](https://redirect.github.com/netty/netty/pull/16752) > * Fix io\_uring op completion TRACE logging by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16755](https://redirect.github.com/netty/netty/pull/16755) > * Quic: Ensure writes are done before notify close promise of QuicheQui… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16758](https://redirect.github.com/netty/netty/pull/16758) > * Avoid re-parsing openssl key material with non-cached provider by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16759](https://redirect.github.com/netty/netty/pull/16759) > * Pin HTTP/RTSP version + method normalization to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16765](https://redirect.github.com/netty/netty/pull/16765) > * Fill MsgHdrMemoryArray#hdrs with null entry on release by [`@tsegismont`](https://github.com/tsegismont) in [netty/netty#16764](https://redirect.github.com/netty/netty/pull/16764) > * Revapi: Use default "oldVersion" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16774](https://redirect.github.com/netty/netty/pull/16774) > * Adaptive: Fix concurrency issue in adaptive allocator by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16767](https://redirect.github.com/netty/netty/pull/16767) > * Auto-port 4.2: Make bulk byte moving in ByteBuf faster by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16781](https://redirect.github.com/netty/netty/pull/16781) > * Pin multipart Content-Type / Content-Transfer-Encoding case folding to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16768](https://redirect.github.com/netty/netty/pull/16768) > * Remove dead native declarations by [`@pandareen`](https://github.com/pandareen) in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * Isolate tests that modify available Security providers by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16793](https://redirect.github.com/netty/netty/pull/16793) > * Remove test annotations from a method that isn't a test by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16792](https://redirect.github.com/netty/netty/pull/16792) > * Enable OpenSslCachingKeyMaterialProvider to evict stale entries after cert rotation by [`@zhangweikop`](https://github.com/zhangweikop) in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * IoUring: extend user data from short to long by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16682](https://redirect.github.com/netty/netty/pull/16682) > * Revert CompositeByteBuf component search fast path by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16811](https://redirect.github.com/netty/netty/pull/16811) > * HTTP2: Use 100 as default max concurrent streams setting by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16804](https://redirect.github.com/netty/netty/pull/16804) > * Fix ResumptionController wrapping by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16815](https://redirect.github.com/netty/netty/pull/16815) > * Resolve all localhost addresses without querying DNS servers by [`@JulianVennen`](https://github.com/JulianVennen) in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16803](https://redirect.github.com/netty/netty/pull/16803) > * Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16788](https://redirect.github.com/netty/netty/pull/16788) > * Route synchronous onLookupComplete exceptions via fireExceptionCaught by [`@kwondh5217`](https://github.com/kwondh5217) in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * IoUring: Stop generic FileRegion drain loop when transferred() reaches count() by [`@LuciferYang`](https://github.com/LuciferYang) in [netty/netty#16826](https://redirect.github.com/netty/netty/pull/16826) > * MQTT: Allow MQTT 5 CONNECT with password only by [`@shblue21`](https://github.com/shblue21) in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > * Fix MQTT decoder size check after variable header replay by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16787](https://redirect.github.com/netty/netty/pull/16787) > > New Contributors > ---------------- > > * [`@pandareen`](https://github.com/pandareen) made their first contribution in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * [`@zhangweikop`](https://github.com/zhangweikop) made their first contribution in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * [`@JulianVennen`](https://github.com/JulianVennen) made their first contribution in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * [`@kwondh5217`](https://github.com/kwondh5217) made their first contribution in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * [`@shblue21`](https://github.com/shblue21) made their first contribution in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > > **Full Changelog**: <netty/netty@netty-4.2.13.Final...netty-4.2.14.Final> Commits * [`0a60b75`](netty/netty@0a60b75) [maven-release-plugin] prepare release netty-4.2.14.Final * [`72df658`](netty/netty@72df658) Fix MQTT decoder size check after variable header replay ([#16787](https://redirect.github.com/netty/netty/issues/16787)) * [`7125dba`](netty/netty@7125dba) MQTT: Allow MQTT 5 CONNECT with password only ([#16833](https://redirect.github.com/netty/netty/issues/16833)) * [`9e19320`](netty/netty@9e19320) IoUring: Stop generic FileRegion drain loop when transferred() reaches count(... * [`4ce9f17`](netty/netty@4ce9f17) Route synchronous onLookupComplete exceptions via fireExceptionCaught ([#16794](https://redirect.github.com/netty/netty/issues/16794)) * [`f7b1b7d`](netty/netty@f7b1b7d) Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe... * [`0ccb265`](netty/netty@0ccb265) IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules ... * [`a6aeb6d`](netty/netty@a6aeb6d) Resolve all localhost addresses without querying DNS servers ([#16749](https://redirect.github.com/netty/netty/issues/16749)) * [`c328ba2`](netty/netty@c328ba2) Fix ResumptionController wrapping ([#16815](https://redirect.github.com/netty/netty/issues/16815)) * [`bc5862b`](netty/netty@bc5862b) HTTP2: Use 100 as default max concurrent streams setting ([#16804](https://redirect.github.com/netty/netty/issues/16804)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.13.Final...netty-4.2.14.Final) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
mergify Bot
added a commit
to ArcadeData/arcadedb
that referenced
this pull request
May 24, 2026
…l [skip ci] Bumps [io.netty:netty-all](https://github.com/netty/netty) from 4.2.13.Final to 4.2.14.Final. Release notes *Sourced from [io.netty:netty-all's releases](https://github.com/netty/netty/releases).* > netty-4.2.14.Final > ------------------ > > What's Changed > -------------- > > * HTTP: Fix revapi failure introduced by 84530fa81e12dcd1d42310bb20c1385cb44128d8 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16748](https://redirect.github.com/netty/netty/pull/16748) > * HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16747](https://redirect.github.com/netty/netty/pull/16747) > * Marshalling: Explicit document security requirements by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16752](https://redirect.github.com/netty/netty/pull/16752) > * Fix io\_uring op completion TRACE logging by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16755](https://redirect.github.com/netty/netty/pull/16755) > * Quic: Ensure writes are done before notify close promise of QuicheQui… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16758](https://redirect.github.com/netty/netty/pull/16758) > * Avoid re-parsing openssl key material with non-cached provider by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16759](https://redirect.github.com/netty/netty/pull/16759) > * Pin HTTP/RTSP version + method normalization to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16765](https://redirect.github.com/netty/netty/pull/16765) > * Fill MsgHdrMemoryArray#hdrs with null entry on release by [`@tsegismont`](https://github.com/tsegismont) in [netty/netty#16764](https://redirect.github.com/netty/netty/pull/16764) > * Revapi: Use default "oldVersion" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16774](https://redirect.github.com/netty/netty/pull/16774) > * Adaptive: Fix concurrency issue in adaptive allocator by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16767](https://redirect.github.com/netty/netty/pull/16767) > * Auto-port 4.2: Make bulk byte moving in ByteBuf faster by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16781](https://redirect.github.com/netty/netty/pull/16781) > * Pin multipart Content-Type / Content-Transfer-Encoding case folding to Locale.US by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16768](https://redirect.github.com/netty/netty/pull/16768) > * Remove dead native declarations by [`@pandareen`](https://github.com/pandareen) in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * Isolate tests that modify available Security providers by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16793](https://redirect.github.com/netty/netty/pull/16793) > * Remove test annotations from a method that isn't a test by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16792](https://redirect.github.com/netty/netty/pull/16792) > * Enable OpenSslCachingKeyMaterialProvider to evict stale entries after cert rotation by [`@zhangweikop`](https://github.com/zhangweikop) in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * IoUring: extend user data from short to long by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16682](https://redirect.github.com/netty/netty/pull/16682) > * Revert CompositeByteBuf component search fast path by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16811](https://redirect.github.com/netty/netty/pull/16811) > * HTTP2: Use 100 as default max concurrent streams setting by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16804](https://redirect.github.com/netty/netty/pull/16804) > * Fix ResumptionController wrapping by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16815](https://redirect.github.com/netty/netty/pull/16815) > * Resolve all localhost addresses without querying DNS servers by [`@JulianVennen`](https://github.com/JulianVennen) in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16803](https://redirect.github.com/netty/netty/pull/16803) > * Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16788](https://redirect.github.com/netty/netty/pull/16788) > * Route synchronous onLookupComplete exceptions via fireExceptionCaught by [`@kwondh5217`](https://github.com/kwondh5217) in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * IoUring: Stop generic FileRegion drain loop when transferred() reaches count() by [`@LuciferYang`](https://github.com/LuciferYang) in [netty/netty#16826](https://redirect.github.com/netty/netty/pull/16826) > * MQTT: Allow MQTT 5 CONNECT with password only by [`@shblue21`](https://github.com/shblue21) in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > * Fix MQTT decoder size check after variable header replay by [`@daguimu`](https://github.com/daguimu) in [netty/netty#16787](https://redirect.github.com/netty/netty/pull/16787) > > New Contributors > ---------------- > > * [`@pandareen`](https://github.com/pandareen) made their first contribution in [netty/netty#16783](https://redirect.github.com/netty/netty/pull/16783) > * [`@zhangweikop`](https://github.com/zhangweikop) made their first contribution in [netty/netty#16523](https://redirect.github.com/netty/netty/pull/16523) > * [`@JulianVennen`](https://github.com/JulianVennen) made their first contribution in [netty/netty#16749](https://redirect.github.com/netty/netty/pull/16749) > * [`@kwondh5217`](https://github.com/kwondh5217) made their first contribution in [netty/netty#16794](https://redirect.github.com/netty/netty/pull/16794) > * [`@shblue21`](https://github.com/shblue21) made their first contribution in [netty/netty#16833](https://redirect.github.com/netty/netty/pull/16833) > > **Full Changelog**: <netty/netty@netty-4.2.13.Final...netty-4.2.14.Final> Commits * [`0a60b75`](netty/netty@0a60b75) [maven-release-plugin] prepare release netty-4.2.14.Final * [`72df658`](netty/netty@72df658) Fix MQTT decoder size check after variable header replay ([#16787](https://redirect.github.com/netty/netty/issues/16787)) * [`7125dba`](netty/netty@7125dba) MQTT: Allow MQTT 5 CONNECT with password only ([#16833](https://redirect.github.com/netty/netty/issues/16833)) * [`9e19320`](netty/netty@9e19320) IoUring: Stop generic FileRegion drain loop when transferred() reaches count(... * [`4ce9f17`](netty/netty@4ce9f17) Route synchronous onLookupComplete exceptions via fireExceptionCaught ([#16794](https://redirect.github.com/netty/netty/issues/16794)) * [`f7b1b7d`](netty/netty@f7b1b7d) Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe... * [`0ccb265`](netty/netty@0ccb265) IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules ... * [`a6aeb6d`](netty/netty@a6aeb6d) Resolve all localhost addresses without querying DNS servers ([#16749](https://redirect.github.com/netty/netty/issues/16749)) * [`c328ba2`](netty/netty@c328ba2) Fix ResumptionController wrapping ([#16815](https://redirect.github.com/netty/netty/issues/16815)) * [`bc5862b`](netty/netty@bc5862b) HTTP2: Use 100 as default max concurrent streams setting ([#16804](https://redirect.github.com/netty/netty/issues/16804)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.13.Final...netty-4.2.14.Final) [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dongjoon-hyun
added a commit
to apache/spark
that referenced
this pull request
Jun 8, 2026
### What changes were proposed in this pull request? This PR aims to upgrade `Netty` to 4.2.15.Final. ### Why are the changes needed? To bring the latest bug fixes: - https://netty.io/news/2026/06/01/4-2-15-Final.html - [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in io.netty:netty-codec-haproxy (high). - [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in io.netty:netty-resolver-dns (high). - [CVE-2026-50560](GHSA-563q-j3cm-6jxm): DDoS in io.netty:netty-codec-http2. - [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in io.netty:netty-codec-classes-quic. - [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in io.netty:netty-handler (high). - [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in io.netty:netty-codec-http. - [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in io.netty:netty-codec-http3 (high). - [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in io.netty:netty-codec-haproxy (high). - [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in io.netty:netty-codec-classes-quic (high). - [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in io.netty:netty-handler (high). - [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in io.netty:netty-resolver-dns. - [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in io.netty:netty-handler (high). - [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue. - [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in io.netty:netty-resolver-dns (high). - [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in io.netty:netty-transport-sctp (high). - [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in io.netty:netty-codec-http2. - [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in io.netty:netty-codec-http3 (high). - [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in io.netty:netty-codec-http2. - netty/netty#16836 - netty/netty#16810 - netty/netty#16853 - netty/netty#16837 - netty/netty#16844 - netty/netty#16850 - netty/netty#16890 - https://netty.io/news/2026/05/20/4-2-14-Final.html - netty/netty#16747 - netty/netty#16759 - netty/netty#16767 - netty/netty#16781 - netty/netty#16788 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass the CIs. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Opus 4.8 Closes #56373 from dongjoon-hyun/SPARK-57320. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation:
The non-caching
OpenSslKeyMaterialProvidermust check with theKeyManageron every handshake, if the certificate and keys have changed. However, if they haven't then it is a waste of cycles to allocate, serialize, and parse the key material on every handshake.Modification:
Add a single-entry cache of the key material and do an identity on the key and certificates after the
KeyManagerlook-up. If there's a match, we can reuse the key material we created earlier. Many systems, particularly internal web services, only have a single key and certificate pair, so the single-entry cache will be very effective there.Result:
Speeds up TLS handshakes when a server is configured with a
KeyManagerFactoryorKeyManager, and the key/cert pair isn't changing on every handshake.