Skip navigation

Netty 4.1.31.Final released

Today we announce the release of netty 4.1.31.Final. This release contains bugfixes, some improvements and performance wins. Beside this one of the more interesting things included is the support of TLSv1.3 (either via Java 11 or netty-tcnative / netty-tcnative-boringssl-static).

Please also check the Important notes section below before upgrading.

The most important changes are:

  • Fix leak and corruption bugs in CompositeByteBuf (#8438)
  • Optimize AbstractByteBuf.getCharSequence() in US_ASCII case (#8392)
  • (fix) incorrect reachability assumption in ResourceLeakDetector (#8410)
  • Correctly detect if KeyManagerFactory is supported by OpenSSL even when* can not be accessed and bouncycastle is not on the classpath. (#8415)
  • Reduce overhead by ByteBufUtil.decodeString(...) which is used by AbstractByteBuf.toString(...) and AbstractByteBuf.getCharSequence(...) (#8388)
  • CompositeByteBuf.decompose(...) does not correctly slice content (#8403)
  • Allow to use TLSv1.3 with netty-tcnative withe java versions prior to 11 (#8394)
  • Add support for TLSv1.3 #8293)
  • Add support for boringssl and TLSv1.3 (#8412)
  • Ensure OpenSslEngine will not try to call SSL_free multiple times even when constructor throws #8399)
  • Add full JdkSslContext public constructor #8389)
  • Prevent NPE when attempting to set client key material with no alias #8378)
  • epoll_wait produces an EINVAL error since 4.1.30 #8350)
  • Correctly parse /etc/resolv.conf when contain multiple entries for searchdomain #8351)
  • Correctly decrement pending bytes when submitting AbstractWriteTask fails #8349)
  • Fix SelectableChannel support in NioEventLoop #8344)
  • Added option to do busy-wait on epoll #8267)
  • Ensure X509KeyManager methods are called on the correct time when using server-side and support more methods of ExtendedSSLSession #8283)
  • Do the same extended checks as the JDK when a X509TrustManager is used with the OpenSSL provider #8307)

For the details and all changes, please browse our issue tracker for 4.1.31.Final.

Important notes

This section will give some more details about more important changes that either change behaviour or add support for some important feature.

LeakDetector false-positives

This releases fixes a bug in LeakDetector which could cause false-positives in some cases when the JIT would re-order some operations and the GC would collect the reference in the same time when executing these. If you see any LEAK: reports that make no sense to you it may be caused by the bug that was present in prior releases. See (#8410) for more details.

SslProvider.OPENSSL / SslProvider.OPENSSL_REFCNT and invalid ciphersuites

Prior to this release when using SslProvider.OPENSSL or SslProvider.OPENSSL_REFCNT and define the used ciphers by hand when configure the SslContextBuilder we just ignored not supported ciphers. This was changed in this release and from now on we will throw an exception. This is more consistent with what is done when using SslProvider.JDK and more correct. That said you may need to adjust your ciphers depending what ciphers you configured before. See (#8443) for more details.

TLSv1.3 support

TLSv1.3 was recently finalized as a standard. In this release we add support for it in various ways, when either of these is true:

  • using Java11 or later
  • using netty-tcnative (build against OpenSSL 1.1.1+) and Java8+
  • using netty-tcnative-boringssl-static and Java8+.

That said TLSv1.3 is not enabled by default so if you want to use it you will need to explicit enable it by using TLSv1.3 when configure your SslContextBuilder (like for example):

SslContextBuilder.forClient().protocols("TLSv1.3") ....

To be able to do this for our native implementations you also need to ensure you use netty-tcnative 2.0.19 (compiled against OpenSSL 1.1.1+) or netty-tcnative-boringssl-static 2.0.19.

Thank You

Every idea and bug-report counts and so we thought it is worth mentioning those who helped in this area. Please report an unintended omission.