Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
If a properly shaded netty-tcnative is found on the classpath, hbase will automatically pick it up for use in accelerating TLS handling. Properly shaded means relocated to prefix with org.apache.hbase.thirdparty
Description
In investigating HBASE-27947, tcnative can make a big impact on throughput over built-in jdk SSL support. We need three things to make it work:
- In X509Util, if Openssl.isAvailable() (meaning tcnative is on the classpath):
- Use SslProvider.OPENSSL_REFCNT
- Update default ciphers to remove CBC ciphers, which do not work with tcnative. We can either pull the ciphers from OpenSsl.availableJavaCipherSuites() or simply use the default GCM ciphers we already have defined.
- Our netty is shaded, so one can't simply put the tcnative jar on the classpath. We might need to provide an hbase-shaded-netty-tcnative module which one can optionally include in their deployment. We will have to decide which of the many tcnative modules to provide a shaded version for.
Attachments
Issue Links
- Discovered while testing
-
HBASE-27947 RegionServer OOM under load when TLS is enabled
- Resolved
- links to