avoid creation of SSLContext for each connection

Separate the creation of the SslContext and the SslHandler.
Before, for each new connection an SslContext was created and
from it the SslHandler was generated.
However creating an SslContext is very expensive due to all the certificate handling.

This PR moves the creation of SslHandler to a SslHandlerProvider that is instantiated
with a SslContext instance.
This way the SslContext is created once, and from it we get SslHandlers for each new connection.

This largely improves the performance in usecases where ssl is enabled but http keepalive isn't set.

Author: jsvd

lib/logstash/inputs/http.rb

@@ -212,37 +212,33 @@ def create_http_server(message_handler)
   def build_ssl_params
     return nil unless @ssl
 
+    ssl_builder = nil
+    verify_mode_string = nil
+
     if @keystore && @keystore_password
       ssl_builder = org.logstash.plugins.inputs.http.util.JksSslBuilder.new(@keystore, @keystore_password.value)
-      if original_params.key?("verify_mode")
-        if @verify_mode.upcase == "FORCE_PEER"
-          ssl_builder.setVerifyMode(org.logstash.plugins.inputs.http.util.SslBuilder::SslClientVerifyMode::FORCE_PEER)
-        elsif @verify_mode.upcase == "PEER"
-          ssl_builder.setVerifyMode(org.logstash.plugins.inputs.http.util.SslBuilder::SslClientVerifyMode::VERIFY_PEER)
-        end
+      verify_mode_string = @verify_mode.upcase if original_params.key?("verify_mode")
+    else
+      begin
+        ssl_builder = org.logstash.plugins.inputs.http.util.SslSimpleBuilder.new(@ssl_certificate, @ssl_key, @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value)
+        .setCipherSuites(normalized_ciphers)
+      rescue java.lang.IllegalArgumentException => e
+        raise LogStash::ConfigurationError.new(e)
       end
-      return ssl_builder
-    end
 
-    begin
-      ssl_builder = org.logstash.plugins.inputs.http.util.SslSimpleBuilder.new(@ssl_certificate, @ssl_key, @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value)
-      .setProtocols(convert_protocols)
-      .setCipherSuites(normalized_ciphers)
-    rescue java.lang.IllegalArgumentException => e
-      raise LogStash::ConfigurationError.new(e)
+      if client_authentication?
+        verify_mode_string = @ssl_verify_mode.upcase
+        ssl_builder.setCertificateAuthorities(@ssl_certificate_authorities)
+      end
     end
 
-    ssl_builder.setHandshakeTimeoutMilliseconds(@ssl_handshake_timeout)
+    ssl_context = ssl_builder.build()
+    ssl_handler_provider = org.logstash.plugins.inputs.http.util.SslHandlerProvider.new(ssl_context)
+    ssl_handler_provider.setVerifyMode(verify_mode_string)
+    ssl_handler_provider.setProtocols(convert_protocols)
+    ssl_handler_provider.setHandshakeTimeoutMilliseconds(@ssl_handshake_timeout)
 
-    if client_authentication?
-      if @ssl_verify_mode.upcase == "FORCE_PEER"
-        ssl_builder.setVerifyMode(org.logstash.plugins.inputs.http.util.SslBuilder::SslClientVerifyMode::FORCE_PEER)
-      elsif @ssl_verify_mode.upcase == "PEER"
-        ssl_builder.setVerifyMode(org.logstash.plugins.inputs.http.util.SslBuilder::SslClientVerifyMode::VERIFY_PEER)
-      end
-      ssl_builder.setCertificateAuthorities(@ssl_certificate_authorities)
-    end
-    ssl_builder
+    ssl_handler_provider
   end
 
   def ssl_key_configured?

spec/inputs/http_spec.rb

@@ -361,6 +361,7 @@
                                            "ssl_certificate" => ssl_certificate.path,
                                            "ssl_key" => ssl_key.path) }
       it "should not raise exception" do
+        expect(subject).to receive(:build_ssl_params)
         expect { subject.register }.to_not raise_exception
       end
     end

src/main/java/org/logstash/plugins/inputs/http/HttpInitializer.java

@@ -7,7 +7,7 @@
 import io.netty.handler.codec.http.HttpObjectAggregator;
 import io.netty.handler.codec.http.HttpServerCodec;
 import io.netty.handler.ssl.SslHandler;
-import org.logstash.plugins.inputs.http.util.SslBuilder;
+import org.logstash.plugins.inputs.http.util.SslHandlerProvider;
 
 import java.util.concurrent.ThreadPoolExecutor;
 
@@ -16,7 +16,7 @@
  */
 public class HttpInitializer extends ChannelInitializer<SocketChannel> {
     private final IMessageHandler messageHandler;
-    private SslBuilder sslBuilder;
+    private SslHandlerProvider sslHandlerProvider;
     private final int maxContentLength;
     private final ThreadPoolExecutor executorGroup;
 
@@ -30,8 +30,8 @@ public HttpInitializer(IMessageHandler messageHandler, ThreadPoolExecutor execut
     protected void initChannel(SocketChannel socketChannel) throws Exception {
         ChannelPipeline pipeline = socketChannel.pipeline();
 
-        if(sslBuilder != null) {
-            SslHandler sslHandler = sslBuilder.build(socketChannel.alloc());
+        if(sslHandlerProvider != null) {
+            SslHandler sslHandler = sslHandlerProvider.getSslHandler(socketChannel.alloc());
             pipeline.addLast(sslHandler);
         }
         pipeline.addLast(new HttpServerCodec());
@@ -40,8 +40,8 @@ protected void initChannel(SocketChannel socketChannel) throws Exception {
         pipeline.addLast(new HttpServerHandler(messageHandler.copy(), executorGroup));
     }
 
-    public void enableSSL(SslBuilder builder) {
-        sslBuilder = builder;
+    public void enableSSL(SslHandlerProvider sslHandlerProvider) {
+        this.sslHandlerProvider = sslHandlerProvider;
     }
 }
 

src/main/java/org/logstash/plugins/inputs/http/NettyHttpServer.java

@@ -6,10 +6,8 @@
 import io.netty.channel.EventLoopGroup;
 import io.netty.channel.nio.NioEventLoopGroup;
 import io.netty.channel.socket.nio.NioServerSocketChannel;
-import io.netty.handler.codec.http.DefaultHttpHeaders;
-import io.netty.handler.codec.http.HttpHeaders;
 import org.logstash.plugins.inputs.http.util.CustomRejectedExecutionHandler;
-import org.logstash.plugins.inputs.http.util.SslBuilder;
+import org.logstash.plugins.inputs.http.util.SslHandlerProvider;
 
 import java.io.Closeable;
 import java.util.concurrent.ArrayBlockingQueue;
@@ -31,7 +29,7 @@ public class NettyHttpServer implements Runnable, Closeable {
     private final ThreadPoolExecutor executorGroup;
 
     public NettyHttpServer(String host, int port, IMessageHandler messageHandler,
-                           SslBuilder sslBuilder, int threads,
+                           SslHandlerProvider sslHandlerProvider, int threads,
                            int maxPendingRequests, int maxContentLength)
     {
         this.host = host;
@@ -44,8 +42,8 @@ public NettyHttpServer(String host, int port, IMessageHandler messageHandler,
 
         final HttpInitializer httpInitializer = new HttpInitializer(messageHandler, executorGroup, maxContentLength);
 
-        if (sslBuilder != null) {
-            httpInitializer.enableSSL(sslBuilder);
+        if (sslHandlerProvider != null) {
+            httpInitializer.enableSSL(sslHandlerProvider);
         }
 
         serverBootstrap = new ServerBootstrap()

src/main/java/org/logstash/plugins/inputs/http/util/JksSslBuilder.java

@@ -1,12 +1,9 @@
 package org.logstash.plugins.inputs.http.util;
 
-import io.netty.buffer.ByteBufAllocator;
 import io.netty.handler.ssl.SslContextBuilder;
 
-import io.netty.handler.ssl.SslHandler;
 
 import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLEngine;
 import javax.net.ssl.TrustManagerFactory;
 
 import io.netty.handler.ssl.SslContext;
@@ -25,18 +22,13 @@ public class JksSslBuilder implements SslBuilder {
     private static final String ALGORITHM = "ssl.KeyManagerFactory.algorithm";
     private final String keyStorePath;
     private final char[] keyStorePassword;
-    private SslClientVerifyMode verifyMode;
 
     public JksSslBuilder(String keyStorePath, String keyStorePassword) {
         this.keyStorePath = keyStorePath;
         this.keyStorePassword = keyStorePassword.toCharArray();
     }
 
-    public void setVerifyMode(SslClientVerifyMode sslClientVerifyMode) {
-        this.verifyMode = sslClientVerifyMode;
-    }
-
-    public SslHandler build(ByteBufAllocator bufferAllocator) throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException {
+    public SslContext build() throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException {
         String algorithm = Security.getProperty(ALGORITHM);
         if (algorithm == null) {
             algorithm = ALGORITHM_SUN_X509;
@@ -54,20 +46,7 @@ public SslHandler build(ByteBufAllocator bufferAllocator) throws IOException, Ke
 
         SslContextBuilder builder = SslContextBuilder.forServer(kmf);
         builder.trustManager(tmf);
-        SslContext context = builder.build();
-
-        SslHandler sslHandler = context.newHandler(bufferAllocator);
-
-        SSLEngine engine = sslHandler.engine();
-
-        if(verifyMode == SslClientVerifyMode.FORCE_PEER) {
-            // Explicitly require a client certificate
-            engine.setNeedClientAuth(true);
-        } else if(verifyMode == SslClientVerifyMode.VERIFY_PEER) {
-            // If the client supply a client certificate we will verify it.
-            engine.setWantClientAuth(true);
-        }
 
-        return sslHandler;
+        return builder.build();
     }
 }

src/main/java/org/logstash/plugins/inputs/http/util/SslBuilder.java

@@ -1,7 +1,6 @@
 package org.logstash.plugins.inputs.http.util;
 
-import io.netty.buffer.ByteBufAllocator;
-import io.netty.handler.ssl.SslHandler;
+import io.netty.handler.ssl.SslContext;
 
 import java.io.IOException;
 import java.security.KeyManagementException;
@@ -12,10 +11,6 @@
 
 public interface SslBuilder {
 
-    SslHandler build(ByteBufAllocator bufferAllocator) throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException;
+    SslContext build() throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException;
 
-    enum SslClientVerifyMode {
-        VERIFY_PEER,
-        FORCE_PEER,
-    }
 }

src/main/java/org/logstash/plugins/inputs/http/util/SslHandlerProvider.java

@@ -0,0 +1,69 @@
+package org.logstash.plugins.inputs.http.util;
+
+import io.netty.buffer.ByteBufAllocator;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslHandler;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import javax.net.ssl.SSLEngine;
+import java.util.Arrays;
+
+public class SslHandlerProvider {
+
+    private final static Logger logger = LogManager.getLogger(SslSimpleBuilder.class);
+    private final SslContext sslContext;
+    private SslClientVerifyMode verifyMode = SslClientVerifyMode.FORCE_PEER;
+    private long handshakeTimeoutMilliseconds = 10000;
+
+    enum SslClientVerifyMode {
+        VERIFY_PEER,
+        FORCE_PEER,
+    }
+
+    private String[] protocols = new String[] { "TLSv1.2" };
+
+    public SslHandlerProvider(SslContext sslContext) {
+        this.sslContext = sslContext;
+    }
+
+    public SslHandler getSslHandler(ByteBufAllocator bufferAllocator) {
+
+        SslHandler sslHandler = sslContext.newHandler(bufferAllocator);
+
+        SSLEngine engine = sslHandler.engine();
+        engine.setEnabledProtocols(protocols);
+        engine.setUseClientMode(false);
+
+        if (verifyMode == SslClientVerifyMode.FORCE_PEER) {
+            // Explicitly require a client certificate
+            engine.setNeedClientAuth(true);
+        } else if (verifyMode == SslClientVerifyMode.VERIFY_PEER) {
+            // If the client supply a client certificate we will verify it.
+            engine.setWantClientAuth(true);
+        }
+
+        sslHandler.setHandshakeTimeoutMillis(handshakeTimeoutMilliseconds);
+
+        return sslHandler;
+    }
+
+    public void setVerifyMode(String verifyMode) {
+        if (verifyMode.equals("FORCE_PEER")) {
+            this.verifyMode = SslClientVerifyMode.FORCE_PEER;
+        } else if (verifyMode.equals("PEER")) {
+            this.verifyMode = SslClientVerifyMode.VERIFY_PEER;
+        }
+    }
+
+    public void setProtocols(String[] protocols) {
+        if(logger.isDebugEnabled())
+            logger.debug("TLS: " + Arrays.toString(protocols));
+
+        this.protocols = protocols;
+    }
+
+    public void setHandshakeTimeoutMilliseconds(long handshakeTimeoutMilliseconds) {
+        this.handshakeTimeoutMilliseconds = handshakeTimeoutMilliseconds;
+    }
+}