fix: release old SslContext on certificate reload to prevent native memory leak (#10395)

web-flow · web-flow · commit 7d55555ed5a1 · 2026-05-28T02:41:43.000Z
diff --git a/proxy/src/main/java/org/apache/rocketmq/proxy/grpc/ProxyAndTlsProtocolNegotiator.java b/proxy/src/main/java/org/apache/rocketmq/proxy/grpc/ProxyAndTlsProtocolNegotiator.java
@@ -45,6 +45,7 @@
 import io.grpc.netty.shaded.io.netty.handler.ssl.util.SelfSignedCertificate;
 import io.grpc.netty.shaded.io.netty.util.AsciiString;
 import io.grpc.netty.shaded.io.netty.util.CharsetUtil;
+import io.grpc.netty.shaded.io.netty.util.ReferenceCountUtil;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -77,7 +78,7 @@ public class ProxyAndTlsProtocolNegotiator implements InternalProtocolNegotiator
      */
     private static final int SSL_RECORD_HEADER_LENGTH = 5;
 
-    private static SslContext sslContext;
+    private static volatile SslContext sslContext;
 
     public ProxyAndTlsProtocolNegotiator() {
         try {
@@ -113,6 +114,7 @@ public static void loadSslContext() throws CertificateException, IOException {
             provider = SslProvider.JDK;
             log.info("Using JDK SSL provider");
         }
+        SslContext oldSslContext = sslContext;
         if (proxyConfig.isTlsTestModeEnable()) {
             SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate();
             sslContext = GrpcSslContexts.forServer(selfSignedCertificate.certificate(), selfSignedCertificate.privateKey())
@@ -136,6 +138,9 @@ public static void loadSslContext() throws CertificateException, IOException {
                     .build();
             }
         }
+        if (oldSslContext != null) {
+            ReferenceCountUtil.release(oldSslContext);
+        }
     }
 
     private class ProxyAndTlsProtocolHandler extends ByteToMessageDecoder {
diff --git a/remoting/src/main/java/org/apache/rocketmq/remoting/netty/NettyRemotingServer.java b/remoting/src/main/java/org/apache/rocketmq/remoting/netty/NettyRemotingServer.java
@@ -45,12 +45,14 @@
 import io.netty.handler.codec.haproxy.HAProxyMessageDecoder;
 import io.netty.handler.codec.haproxy.HAProxyProtocolVersion;
 import io.netty.handler.codec.haproxy.HAProxyTLV;
+import io.netty.handler.ssl.SslContext;
 import io.netty.handler.timeout.IdleState;
 import io.netty.handler.timeout.IdleStateEvent;
 import io.netty.handler.timeout.IdleStateHandler;
 import io.netty.util.AttributeKey;
 import io.netty.util.CharsetUtil;
 import io.netty.util.HashedWheelTimer;
+import io.netty.util.ReferenceCountUtil;
 import io.netty.util.Timeout;
 import io.netty.util.TimerTask;
 import io.netty.util.concurrent.DefaultEventExecutorGroup;
@@ -183,7 +185,11 @@ public void loadSslContext() {
 
         if (tlsMode != TlsMode.DISABLED) {
             try {
+                SslContext oldSslContext = sslContext;
                 sslContext = TlsHelper.buildSslContext(false);
+                if (oldSslContext != null) {
+                    ReferenceCountUtil.release(oldSslContext);
+                }
                 log.info("SslContext created for server");
             } catch (CertificateException | IOException e) {
                 log.error("Failed to create SslContext for server", e);
