Problem
When TLS certificates are dynamically reloaded (e.g., via SslContext rebuild on certificate file change), the old SslContext / SSLSessionContext and associated native resources are not explicitly released.
In the OpenSSL (netty-tcnative / BoringSSL) provider, each SslContext allocates off-heap native memory for the certificate chain, private key, and session cache. If the previous SslContext is simply dereferenced without calling release() / close(), the native memory is not freed until GC finalizes the object — which may never happen under low heap pressure, leading to a steady native memory growth proportional to the number of certificate rotations.
Expected Behavior
When a new certificate is loaded and a new SslContext is created, the old SslContext should be explicitly released (reference-counted release for ReferenceCounted implementations) to free native memory immediately.
Suggested Fix
After replacing the SslContext reference, call ReferenceCountUtil.release(oldSslContext) (or oldSslContext.close() for JDK provider compatibility) to ensure native resources are reclaimed promptly.
Additionally, ensure any in-flight connections using the old context are drained or that the release is deferred until active channels using the old context are closed.
Environment
- Affects: Broker / Proxy / NameServer with TLS enabled and certificate hot-reload
- SSL Provider: OpenSSL (netty-tcnative)
- Observed: Native memory (RSS) grows monotonically on each certificate rotation cycle
Problem
When TLS certificates are dynamically reloaded (e.g., via
SslContextrebuild on certificate file change), the oldSslContext/SSLSessionContextand associated native resources are not explicitly released.In the OpenSSL (netty-tcnative / BoringSSL) provider, each
SslContextallocates off-heap native memory for the certificate chain, private key, and session cache. If the previousSslContextis simply dereferenced without callingrelease()/close(), the native memory is not freed until GC finalizes the object — which may never happen under low heap pressure, leading to a steady native memory growth proportional to the number of certificate rotations.Expected Behavior
When a new certificate is loaded and a new
SslContextis created, the oldSslContextshould be explicitly released (reference-counted release forReferenceCountedimplementations) to free native memory immediately.Suggested Fix
After replacing the
SslContextreference, callReferenceCountUtil.release(oldSslContext)(oroldSslContext.close()for JDK provider compatibility) to ensure native resources are reclaimed promptly.Additionally, ensure any in-flight connections using the old context are drained or that the release is deferred until active channels using the old context are closed.
Environment