clj-commons · robinlahtinen · Feb 16, 2026 · Feb 16, 2026 · Feb 16, 2026 · Feb 16, 2026
@@ -6,7 +6,7 @@ version: 2.1
 .job_defaults: &job_defaults
   docker:
     # specify the version you desire here
-    - image: cimg/clojure:1.11.1-openjdk-8.0
+    - image: cimg/clojure:1.11.4-openjdk-8.0
     # Specify service dependencies here if necessary
     # CircleCI maintains a library of pre-built images
     # documented at https://circleci.com/docs/2.0/circleci-images/
@@ -21,6 +21,18 @@ version: 2.1
 
   # The resource_class feature allows configuring CPU and RAM resources for each job. Different resource classes are available for different executors. https://circleci.com/docs/2.0/configuration-reference/#resourceclass
   resource_class: large
+
+.job_defaults_jdk_21: &job_defaults_jdk_21
+  docker:
+    - image: cimg/clojure:1.11.4-openjdk-21.0
+
+  working_directory: ~/repo
+
+  environment:
+    LEIN_ROOT: "true"
+    JVM_OPTS: -Xmx3200m
+
+  resource_class: large
 
 commands:
   restore_deps_cache:
@@ -72,6 +84,36 @@ jobs:
           name: Run tests with dropped error deferred detection
           command: lein do clean, with-profile +dropped-error-deferred-detection test
           no_output_timeout: 20m
+  prepare_deps_cache_jdk_21:
+    <<: *job_defaults_jdk_21
+    steps:
+      - checkout
+      - restore_deps_cache
+      - run:
+          name: Install bb
+          command: |
+            sudo bash < <(curl -s https://raw.githubusercontent.com/babashka/babashka/3d916df4a0c1e00df94100860b8eb5577e59c56a/install)
+
+      - run:
+          name: Download and cache dependencies
+          command: lein with-profile pedantic,dev,test,jdk-21 deps
+
+      - run:
+          name: Ensure deps.edn is in sync with project.clj
+          command: deps/ensure-deps-up-to-date
+
+      - save_cache:
+          paths:
+            - ~/.m2
+          key: v2-dependencies-jdk_21-{{ checksum "project.clj" }}
+  test_with_leak_detection_jdk_21:
+    <<: *job_defaults_jdk_21
+    steps:
+      - checkout
+      - restore_deps_cache
+      - run:
+          name: Run tests with leak detection (JDK 21)
+          command: lein do clean, with-profile +leak-detection,+jdk-21 test :default+leak
   patch_hold_test_with_dropped_error_deferred_detection_status:
     <<: *job_defaults
     steps:
@@ -136,6 +178,10 @@ workflows:
       - test_with_leak_detection:
           requires:
             - prepare_deps_cache
+      - prepare_deps_cache_jdk_21
+      - test_with_leak_detection_jdk_21:
+          requires:
+            - prepare_deps_cache_jdk_21
       - hold_test_with_dropped_error_deferred_detection:
           type: approval
           requires:

@@ -1,3 +1,18 @@
+### Unreleased
+
+* BREAKING: Bump Netty to 4.2.10.Final
+* Promote io_uring transport from incubator (`io.netty.incubator` → `io.netty`)
+* Load io_uring transport classes lazily via reflection (requires Java 9+; gracefully unavailable on Java 8)
+* Add kqueue `osx-aarch_64` native transport for Apple Silicon
+* Update `self-signed-ssl-context` for JDK 24+ compatibility via Netty `CertificateBuilder`, with `SelfSignedCertificate` fallback
+* Fix deprecated `Class.newInstance()` usage in `CertificateBuilder` reflection (use `Constructor.newInstance()`)
+* Remove deprecated `ChannelOption/MAX_MESSAGES_PER_READ` usage
+* Fix HTTP/2 connection preface not flushed on already-active pipelines (affected JDK 21 with unpooled allocator)
+
+Contributions by (in alphabetical order):
+
+Robin Lahtinen
+
 ### 0.9.5
 
 * Fix NPE in `wrap-exceptions` HTTP client middleware (#766, #767)

@@ -10,24 +10,26 @@
   org.clj-commons/dirigiste {:mvn/version "1.0.4"},
   org.clj-commons/primitive-math {:mvn/version "1.0.1"},
   potemkin/potemkin {:mvn/version "0.4.8"},
-  io.netty/netty-transport {:mvn/version "4.1.130.Final"},
+  io.netty/netty-transport {:mvn/version "4.2.10.Final"},
   io.netty/netty-transport-native-epoll$linux-x86_64
-  {:mvn/version "4.1.130.Final"},
+  {:mvn/version "4.2.10.Final"},
   io.netty/netty-transport-native-epoll$linux-aarch_64
-  {:mvn/version "4.1.130.Final"},
+  {:mvn/version "4.2.10.Final"},
   io.netty/netty-transport-native-kqueue$osx-x86_64
-  {:mvn/version "4.1.130.Final"},
-  io.netty.incubator/netty-incubator-transport-native-io_uring$linux-x86_64
-  {:mvn/version "0.0.26.Final"},
-  io.netty.incubator/netty-incubator-transport-native-io_uring$linux-aarch_64
-  {:mvn/version "0.0.26.Final"},
-  io.netty/netty-codec {:mvn/version "4.1.130.Final"},
-  io.netty/netty-codec-http {:mvn/version "4.1.130.Final"},
-  io.netty/netty-codec-http2 {:mvn/version "4.1.130.Final"},
-  io.netty/netty-handler {:mvn/version "4.1.130.Final"},
-  io.netty/netty-handler-proxy {:mvn/version "4.1.130.Final"},
-  io.netty/netty-resolver {:mvn/version "4.1.130.Final"},
-  io.netty/netty-resolver-dns {:mvn/version "4.1.130.Final"},
+  {:mvn/version "4.2.10.Final"},
+  io.netty/netty-transport-native-kqueue$osx-aarch_64
+  {:mvn/version "4.2.10.Final"},
+  io.netty/netty-transport-native-io_uring$linux-x86_64
+  {:mvn/version "4.2.10.Final"},
+  io.netty/netty-transport-native-io_uring$linux-aarch_64
+  {:mvn/version "4.2.10.Final"},
+  io.netty/netty-codec-http {:mvn/version "4.2.10.Final"},
+  io.netty/netty-codec-http2 {:mvn/version "4.2.10.Final"},
+  io.netty/netty-codec-compression {:mvn/version "4.2.10.Final"},
+  io.netty/netty-handler {:mvn/version "4.2.10.Final"},
+  io.netty/netty-handler-proxy {:mvn/version "4.2.10.Final"},
+  io.netty/netty-resolver {:mvn/version "4.2.10.Final"},
+  io.netty/netty-resolver-dns {:mvn/version "4.2.10.Final"},
   metosin/malli
   {:mvn/version "0.20.0", :exclusions [org.clojure/clojure]}},
  :aliases

@@ -1,5 +1,5 @@
 ;; you'll need to run the script at `deps/lein-to-deps` after changing any dependencies
-(def netty-version "4.1.130.Final")
+(def netty-version "4.2.10.Final")
 (def brotli-version "1.20.0")
 
 
@@ -18,16 +18,19 @@
                  [io.netty/netty-transport-native-epoll ~netty-version :classifier "linux-x86_64"]
                  [io.netty/netty-transport-native-epoll ~netty-version :classifier "linux-aarch_64"]
                  [io.netty/netty-transport-native-kqueue ~netty-version :classifier "osx-x86_64"]
-                 [io.netty.incubator/netty-incubator-transport-native-io_uring "0.0.26.Final" :classifier "linux-x86_64"]
-                 [io.netty.incubator/netty-incubator-transport-native-io_uring "0.0.26.Final" :classifier "linux-aarch_64"]
-                 [io.netty/netty-codec ~netty-version]
+                 [io.netty/netty-transport-native-kqueue ~netty-version :classifier "osx-aarch_64"]
+                 [io.netty/netty-transport-native-io_uring ~netty-version :classifier "linux-x86_64"]
+                 [io.netty/netty-transport-native-io_uring ~netty-version :classifier "linux-aarch_64"]
                  [io.netty/netty-codec-http ~netty-version]
                  [io.netty/netty-codec-http2 ~netty-version]
+                 [io.netty/netty-codec-compression ~netty-version]
                  [io.netty/netty-handler ~netty-version]
                  [io.netty/netty-handler-proxy ~netty-version]
                  [io.netty/netty-resolver ~netty-version]
                  [io.netty/netty-resolver-dns ~netty-version]
                  [metosin/malli "0.20.0" :exclusions [org.clojure/clojure]]]
+  :exclusions [org.bouncycastle/bcprov-jdk15on
+               org.bouncycastle/bcpkix-jdk15on]
   :profiles {:dev                 {:dependencies [[criterium "0.4.6"]
                                                   [cheshire "6.1.0"]
                                                   [org.slf4j/slf4j-simple "2.0.17"]
@@ -37,7 +40,8 @@
                                                   [org.bouncycastle/bcprov-jdk18on "1.83"]
                                                   [org.bouncycastle/bcpkix-jdk18on "1.83" :exclusions [org.bouncycastle/bcutil-jdk18on]]
                                                   ;;[org.bouncycastle/bctls-jdk18on "1.75"]
-                                                  [io.netty/netty-tcnative-boringssl-static "2.0.74.Final"]
+                                                  [io.netty/netty-tcnative-boringssl-static "2.0.75.Final"]
+                                                  [io.netty/netty-pkitesting ~netty-version]
                                                   ;;[com.aayushatharva.brotli4j/all ~brotli-version]
                                                   [com.aayushatharva.brotli4j/brotli4j ~brotli-version]
                                                   [com.aayushatharva.brotli4j/service ~brotli-version]
@@ -66,6 +70,8 @@
                                          "-Dio.netty.allocator.type=unpooled"]}
              :dropped-error-deferred-detection {:jvm-opts ["-Dorg.slf4j.simpleLogger.log.manifold.debug=warn"
                                                            "-Daleph.testutils.detect-dropped-error-deferreds=true"]}
+             :test-unsafe-deny    {:jvm-opts ["--sun-misc-unsafe-memory-access=deny"]}
+             :jdk-21              {:javac-options ^:replace ["--release" "11"]}
              :pedantic            {:pedantic? :abort}
              :trace               {:jvm-opts ["-Dorg.slf4j.simpleLogger.defaultLogLevel=trace"]}
              :profile             {:dependencies [[com.clojure-goes-fast/clj-async-profiler "1.7.0"]]

@@ -249,6 +249,15 @@
                               (some? log-activity)
                               (assoc :log-activity (netty/activity-logger "aleph-client" log-activity))
 
+                              ;; When insecure?, disable endpoint identification (hostname
+                              ;; verification) unless the user explicitly set it. On JDK 8
+                              ;; with OpenSSL/tcnative, Netty 4.2's trust manager wrapping
+                              ;; causes hostname verification to run even with
+                              ;; InsecureTrustManagerFactory, leading to SSLHandshakeException.
+                              (and insecure?
+                                   (not (contains? connection-options :ssl-endpoint-id-alg)))
+                              (assoc :ssl-endpoint-id-alg nil)
+
                               true
                               (update :ssl-context #(client/ssl-context % http-versions insecure?)))
         p (promise)

@@ -1399,6 +1399,21 @@
             true
             http2-conn-pipeline-transform)
 
+    ;; Flush the HTTP/2 connection preface (magic + initial SETTINGS) that was
+    ;; written by Http2ConnectionHandler.sendPreface() during handlerAdded.
+    ;; When Http2FrameCodec is added to an already-active pipeline (the normal
+    ;; case for both client post-SSL-handshake and server ALPN paths),
+    ;; channelActive is never replayed, so the flushPreface guard in
+    ;; PrefaceDecoder.channelActive never fires. Without this explicit flush,
+    ;; the preface sits in SslHandler.pendingUnencryptedWrites and under
+    ;; certain allocator/timing conditions (e.g., unpooled allocator on
+    ;; JDK 21), a SETTINGS ACK can be flushed before the initial SETTINGS,
+    ;; causing the peer to reject the connection.
+    ;; See https://github.com/netty/netty/issues/12089
+    (let [ch (.channel pipeline)]
+      (when (.isActive ch)
+        (.flush ch)))
+
     (log/debug "Conn chan pipeline:" pipeline)
 
     pipeline))