Skip navigation

Netty 4.1.60.Final released

I am happy to announce the release of netty 4.1.60.Final, which beside fixing various bugs also contains a security fix which may affect you if you use the codec-http2 package and proxy HTTP/2 to HTTP/1.1 . This release also includes a change that makes it possible to enable client side SSL session caching when using our native SSL implementation.

For more details about the impact of the CVE (CVE-2021-21295) check the Security Advisory.

The most important changes are:

  • Validate Content-Length header in HTTP/2 decoder (CVE-2021-21295)
  • Enable stateless resumption for TLSv1.3 by default when using OpenSSL / BoringSSL (#10997)
  • Allow blocking calls when parsing etcResolver/hosts files (#11009)
  • fixed ipv6 address join ipv4 group failed (#11015)
  • Propagate SSLException to the Http2StreamChannels (#11023)
  • Less noisy logging in DnsServerAddressStreamProviders (#11031)
  • HttpPostMultipartRequestDecoder performance regression (#10508)
  • Add support for UDP_SEGMENT (GSO) when using sendmmsg (#11038)
  • Ensure removal from queue happens before writeAndFlush(...) is called (#11049)
  • Fix NPE that can happen in the WriteTimeoutHandler when multiple executors are used (#11053)
  • Support session cache for client and server when using native SSLEngine implementation (#10994)
  • Allow to config dns bind address in DnsNameResolver (#11061)

Important notes

SSL Session caching

As stated before this release includes a change which allows to use SSL session caching on the client side when using our native SSL implementation. Unfortunally the use of the cache may trigger a JDK bug on the remote peer if the remote peer uses the JDK SSL implementation for TLSv1.3. Because of that we decided to not enable the session caching by default on the client-side. If you still want to enable it you can either use -Dio.netty.handler.ssl.openssl.sessionCacheClient=true or explict enable it via the OpenSslContext:

OpenSslContext context = ...;
contest.sessionContext().setSessionCacheEnabled(true);

GSO support for EpollDatagramChannel

This release also adds support for GSO (UDP_SEGMENT) when using the native EpollDatagramChannel and running on a system with a recent enough kernel. You can make use of this by writing SegmentedDatagramPackets to the channel.

For more detail on GSO please read the blogpost by cloudflare which explains how this can be used to maximize performance when using QUIC.

CVE-2021-21295 - request smuggling

This release fixes a possible security problem which have allowes for request smuggling, check the Security Advisory for more details.

Thank You

Every idea and bug-report counts and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.