Skip navigation

Netty 4.1.35.Final released

Today we announce the release of netty 4.1.35.Final. This release contains mostly bugfixes, some improvements and a few performance wins. If you use netty-tcnative or netty-tcnative-boringssl-static you also need to upgrade to 2.0.25.Final.

The most important changes in this release are:

  • Only try to use OpenSslX509TrustManagerWrapper when using Java 7+ (#9065)
  • DnsNameResolver.resolve(...) should notify future as soon as one preferred record was resolved (#9050)
  • Correctly calculate ttl for AuthoritativeNameServer when update existing records (#9051)
  • DnsNameResolver.resolveAll(...) should also contain non preferred addresses (#9044)
  • Websocket client closing handshake to support "force close" after given timeout (#8883)
  • Correctly handle overflow in Native.kevent(...) when EINTR is detected (#9024)
  • DnsNameResolver.resolveAll(...) should not include duplicates (#9021)
  • Skip execution of Channel*Handler method if annotated with @Skip and just use the next handler in the pipeline (#8988)
  • Allow to offload / customize key signing operations when using BoringSSL (#8943)
  • Allow to offload certificate validation when using BoringSSL (#8974)
  • Add user possibility to skip the evaluation of a certain websocket extensions (#8910)
  • Don't try to put back MemoryRegionCache.Entry objects into the Recycler when recycled because of a finalizer (#8955)
  • Fix possible ByteBuf leak when CompositeByteBuf is resized (#8946)
  • Allow to automatically trim the PoolThreadCache in a timely interval (#8941)
  • Support ALLOW_HALF_CLOSURE channel option on Unix domain socket. (#8932)
  • Correctly produce ssl alert when certificate validation fails on the client-side when using native SSL implementation (#8949)
  • Fix HttpUtil.isKeepAlive to behave correctly when Connection is a comma separated list defect (#8924)

For the details and all changes, please browse our issue tracker for 4.1.35.Final.

Notes about new features / improvements

This section contains some details about some changes that deserve a bit more attentions. Please check the related PRs for even more details.

Offload various handshake related operations from the EventLoop

This release added various features related to offload handshake related operations from the EventLoop when netty-tcnative-boringssl-static is used. This can be very helpfully if you need to do any blocking operation in your KeyManager or TrustManager implementation. As these are still considered as "experimental" as these were just added you explicit need to enable the offloading via -Dio.netty.handler.ssl.openssl.useTasks=true.

Beside this you will need to use the SslContext methods that take another Executor in its parameters.

Related PRs:

  • Allow to offload / customize key signing operations when using BoringSSL (#8943)
  • Allow to offload certificate validation when using BoringSSL (#8974)

Offload key signing operations

When using netty-tcnative-boringssl-static it is now possible to offload the key-signing completely (a.k.a keyless SSL). This can be done by implementations OpenSslPrivateKeyMethod and set your implementation via ReferenceCountedOpenSslContext.setPrivateKeyMethod(...).

Please note that this feature is still considered experimental and so is marked with @UnstableApi.

For more details see (#8943).

Performance improvements when using BoringSSL

We now use CRYPTO_BUFFER when netty-tcnative-boringssl-static is used which allows us to remove the overhead of multiple parsing operations related to the certificate chain.

For more details see (#455).

New Team Members

I am happy to announce that @franz1981 and @njhill were added to the Netty Team to recognize all the hard and amazing work both of them did in the past. Congratulations to both!

Thank You

Every idea and bug-report counts and so we thought it is worth mentioning those who helped in this area. Please report an unintended omission.