From 3226e5366b712791c8fc68c81d38c189dff27c52 Mon Sep 17 00:00:00 2001 From: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Date: Tue, 31 Mar 2026 09:38:17 +0800 Subject: [PATCH 1/9] fix #156 nstead of pipeline.fireChannelRead(...), forward PacketsMessage from the context of the HTTP/WebSocket codec. Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> --- netty-socketio-core/pom.xml | 5 + .../socketio/SocketIOChannelInitializer.java | 41 +-- .../socketio/transport/PollingTransport.java | 17 +- .../transport/WebSocketTransport.java | 49 +++- .../transport/SocketIoJavaClientSslTest.java | 233 ++++++++++++++++++ .../src/test/resources/ssl/test-socketio.p12 | Bin 0 -> 2748 bytes .../pom.xml | 2 +- pom.xml | 6 + 8 files changed, 329 insertions(+), 24 deletions(-) create mode 100644 netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java create mode 100644 netty-socketio-core/src/test/resources/ssl/test-socketio.p12 diff --git a/netty-socketio-core/pom.xml b/netty-socketio-core/pom.xml index d297376d..45bfc6c3 100644 --- a/netty-socketio-core/pom.xml +++ b/netty-socketio-core/pom.xml @@ -80,6 +80,11 @@ io.netty netty-codec + + io.netty + netty-tcnative-boringssl-static + true + io.netty netty-transport-native-epoll diff --git a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java index dbffb960..75441c17 100644 --- a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java +++ b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java @@ -18,11 +18,9 @@ import java.security.KeyStore; -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; -import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.KeyManagerFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -57,7 +55,11 @@ import io.netty.handler.codec.http.HttpRequestDecoder; import io.netty.handler.codec.http.HttpResponseEncoder; import io.netty.handler.codec.http.websocketx.extensions.compression.WebSocketServerCompressionHandler; +import io.netty.handler.ssl.OpenSsl; +import io.netty.handler.ssl.SslContext; +import io.netty.handler.ssl.SslContextBuilder; import io.netty.handler.ssl.SslHandler; +import io.netty.handler.ssl.SslProvider; public class SocketIOChannelInitializer extends ChannelInitializer implements DisconnectableHub { @@ -91,7 +93,7 @@ public class SocketIOChannelInitializer extends ChannelInitializer impl private CancelableScheduler scheduler = new HashedWheelTimeoutScheduler(); private InPacketHandler packetHandler; - private SSLContext sslContext; + private SslContext sslContext; private Configuration configuration; @Override @@ -154,7 +156,7 @@ protected void initChannel(Channel ch) throws Exception { */ protected void addSslHandler(ChannelPipeline pipeline) { if (sslContext != null) { - SSLEngine engine = sslContext.createSSLEngine(); + SSLEngine engine = sslContext.newEngine(pipeline.channel().alloc()); engine.setUseClientMode(false); if (configuration.isNeedClientAuth() && configuration.getSocketSslConfig() != null @@ -200,26 +202,27 @@ protected Object newContinueResponse(HttpMessage start, int maxContentLength, pipeline.addLast(WRONG_URL_HANDLER, wrongUrlHandler); } - private SSLContext createSSLContext(SocketSslConfig socketSslConfig) throws Exception { - TrustManager[] managers = null; - - if (socketSslConfig.getTrustStore() != null) { - KeyStore ts = KeyStore.getInstance(socketSslConfig.getTrustStoreFormat()); - ts.load(socketSslConfig.getTrustStore(), socketSslConfig.getTrustStorePassword().toCharArray()); - TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - tmf.init(ts); - managers = tmf.getTrustManagers(); - } - + private SslContext createSSLContext(SocketSslConfig socketSslConfig) throws Exception { KeyStore ks = KeyStore.getInstance(socketSslConfig.getKeyStoreFormat()); ks.load(socketSslConfig.getKeyStore(), socketSslConfig.getKeyStorePassword().toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(socketSslConfig.getKeyManagerFactoryAlgorithm()); kmf.init(ks, socketSslConfig.getKeyStorePassword().toCharArray()); - SSLContext serverContext = SSLContext.getInstance(socketSslConfig.getSSLProtocol()); - serverContext.init(kmf.getKeyManagers(), managers, null); - return serverContext; + SslProvider sslProvider = OpenSsl.isAvailable() ? SslProvider.OPENSSL : SslProvider.JDK; + + SslContextBuilder builder = SslContextBuilder.forServer(kmf).sslProvider(sslProvider); + if (socketSslConfig.getSSLProtocol() != null) { + builder.protocols(socketSslConfig.getSSLProtocol()); + } + if (socketSslConfig.getTrustStore() != null) { + TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + KeyStore ts = KeyStore.getInstance(socketSslConfig.getTrustStoreFormat()); + ts.load(socketSslConfig.getTrustStore(), socketSslConfig.getTrustStorePassword().toCharArray()); + tmf.init(ts); + builder.trustManager(tmf); + } + return builder.build(); } @Override diff --git a/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/PollingTransport.java b/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/PollingTransport.java index 0aef5412..f6dcc7c5 100644 --- a/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/PollingTransport.java +++ b/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/PollingTransport.java @@ -41,11 +41,14 @@ import io.netty.channel.ChannelInboundHandlerAdapter; import io.netty.handler.codec.http.DefaultHttpResponse; import io.netty.handler.codec.http.FullHttpRequest; +import io.netty.handler.codec.http.HttpRequestDecoder; +import io.netty.handler.codec.http.HttpServerCodec; import io.netty.handler.codec.http.HttpHeaderNames; import io.netty.handler.codec.http.HttpMethod; import io.netty.handler.codec.http.HttpResponse; import io.netty.handler.codec.http.HttpResponseStatus; import io.netty.handler.codec.http.QueryStringDecoder; +import io.netty.handler.codec.http.websocketx.WebSocket13FrameDecoder; import static io.netty.handler.codec.http.HttpVersion.HTTP_1_1; @@ -172,7 +175,19 @@ private void onPost(UUID sessionId, ChannelHandlerContext ctx, String origin, By content = decoder.preprocessJson(jsonIndex, content); } - ctx.pipeline().fireChannelRead(new PacketsMessage(client, content, Transport.POLLING)); + ChannelHandlerContext codecCtx = ctx.pipeline().context(HttpRequestDecoder.class); + if (codecCtx == null) { + codecCtx = ctx.pipeline().context(WebSocket13FrameDecoder.class); + } + if (codecCtx == null) { + codecCtx = ctx.pipeline().context(HttpServerCodec.class); + } + PacketsMessage packetsMessage = new PacketsMessage(client, content, Transport.POLLING); + if (codecCtx != null) { + codecCtx.fireChannelRead(packetsMessage); + } else { + ctx.pipeline().fireChannelRead(packetsMessage); + } } protected void onGet(UUID sessionId, ChannelHandlerContext ctx, String origin) { diff --git a/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/WebSocketTransport.java b/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/WebSocketTransport.java index 40524fd4..616b9224 100644 --- a/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/WebSocketTransport.java +++ b/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/WebSocketTransport.java @@ -46,10 +46,16 @@ import io.netty.handler.codec.http.FullHttpRequest; import io.netty.handler.codec.http.HttpHeaderNames; import io.netty.handler.codec.http.HttpRequest; +import io.netty.handler.codec.http.HttpRequestDecoder; +import io.netty.handler.codec.http.HttpServerCodec; import io.netty.handler.codec.http.QueryStringDecoder; import io.netty.handler.codec.http.websocketx.BinaryWebSocketFrame; import io.netty.handler.codec.http.websocketx.CloseWebSocketFrame; +import io.netty.handler.codec.http.websocketx.WebSocketFrame; +import io.netty.handler.codec.http.websocketx.PingWebSocketFrame; +import io.netty.handler.codec.http.websocketx.PongWebSocketFrame; import io.netty.handler.codec.http.websocketx.TextWebSocketFrame; +import io.netty.handler.codec.http.websocketx.WebSocket13FrameDecoder; import io.netty.handler.codec.http.websocketx.WebSocketFrameAggregator; import io.netty.handler.codec.http.websocketx.WebSocketServerHandshaker; import io.netty.handler.codec.http.websocketx.WebSocketServerHandshakerFactory; @@ -82,6 +88,15 @@ public WebSocketTransport(boolean isSsl, public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception { if (msg instanceof CloseWebSocketFrame) { ctx.channel().writeAndFlush(msg).addListener(ChannelFutureListener.CLOSE); + } else if (msg instanceof PingWebSocketFrame) { + // keep connection alive, mirror pong + ctx.channel().writeAndFlush(new PongWebSocketFrame(((PingWebSocketFrame) msg).content().retain())); + ((PingWebSocketFrame) msg).release(); + return; + } else if (msg instanceof PongWebSocketFrame) { + // ignore + ((PongWebSocketFrame) msg).release(); + return; } else if (msg instanceof BinaryWebSocketFrame || msg instanceof TextWebSocketFrame) { ByteBufHolder frame = (ByteBufHolder) msg; @@ -97,10 +112,18 @@ public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception // Retain its content since we pass it further down the pipeline. PacketsMessage packetsMessage = new PacketsMessage(client, frame.content().retain(), Transport.WEBSOCKET); try { - ctx.pipeline().fireChannelRead(packetsMessage); + firePacketsMessageToPacketHandler(ctx, packetsMessage); } finally { frame.release(); } + } else if (msg instanceof WebSocketFrame) { + // Some clients may send fragmented frames (ContinuationWebSocketFrame) or other control frames. + // Log and release to avoid leaks and to surface missing handling. + if (log.isDebugEnabled()) { + log.debug("Unhandled WebSocketFrame type: {}", msg.getClass().getName()); + } + ((WebSocketFrame) msg).release(); + return; } else if (msg instanceof FullHttpRequest) { FullHttpRequest req = (FullHttpRequest) msg; QueryStringDecoder queryDecoder = new QueryStringDecoder(req.uri()); @@ -141,8 +164,28 @@ public void channelReadComplete(ChannelHandlerContext ctx) throws Exception { ClientHead client = clientsBox.get(ctx.channel()); if (client != null && client.isTransportChannel(ctx.channel(), Transport.WEBSOCKET)) { ctx.flush(); + } + super.channelReadComplete(ctx); + } + + /** + * Deliver engine/socket.io payload to {@link com.socketio4j.socketio.handler.InPacketHandler} without + * re-entering the pipeline from the head (avoids passing {@link PacketsMessage} through {@code SslHandler} + * and the HTTP/WebSocket frame decoder again). + */ + private static void firePacketsMessageToPacketHandler(ChannelHandlerContext ctx, PacketsMessage packetsMessage) { + // After WebSocket handshake, Netty replaces HttpRequestDecoder with WebSocket13FrameDecoder named "wsdecoder". + ChannelHandlerContext codecCtx = ctx.pipeline().context(HttpRequestDecoder.class); + if (codecCtx == null) { + codecCtx = ctx.pipeline().context(WebSocket13FrameDecoder.class); + } + if (codecCtx == null) { + codecCtx = ctx.pipeline().context(HttpServerCodec.class); + } + if (codecCtx != null) { + codecCtx.fireChannelRead(packetsMessage); } else { - super.channelReadComplete(ctx); + ctx.pipeline().fireChannelRead(packetsMessage); } } @@ -168,7 +211,7 @@ private void handshake(ChannelHandlerContext ctx, final UUID sessionId, String p final Channel channel = ctx.channel(); WebSocketServerHandshakerFactory factory = - new WebSocketServerHandshakerFactory(getWebSocketLocation(req), null, true, configuration.getMaxFramePayloadLength()); + new WebSocketServerHandshakerFactory(getWebSocketLocation(req), null, configuration.isWebsocketCompression(), configuration.getMaxFramePayloadLength()); WebSocketServerHandshaker handshaker = factory.newHandshaker(req); if (handshaker != null) { try { diff --git a/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java b/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java new file mode 100644 index 00000000..02a5a47d --- /dev/null +++ b/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java @@ -0,0 +1,233 @@ +/** + * Copyright (c) 2025 The Socketio4j Project + * Parent project : Copyright (c) 2012-2025 Nikita Koksharov + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.socketio4j.socketio.transport; + +import java.io.InputStream; +import java.net.ServerSocket; +import java.security.SecureRandom; +import java.security.cert.X509Certificate; +import java.util.Map; +import java.util.concurrent.CountDownLatch; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.atomic.AtomicReference; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.TrustManager; +import javax.net.ssl.X509TrustManager; + +import org.json.JSONObject; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.Test; + +import com.socketio4j.socketio.Configuration; +import com.socketio4j.socketio.SocketIOServer; +import com.socketio4j.socketio.SocketSslConfig; +import com.socketio4j.socketio.nativeio.TransportType; + +import io.socket.client.Ack; +import io.socket.client.IO; +import io.socket.client.Socket; +import okhttp3.OkHttpClient; + +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertNull; +import static org.junit.jupiter.api.Assertions.assertTrue; + +/** + * End-to-end tests using the official Java {@code socket.io-client} (OkHttp/WebSocket). + */ +public class SocketIoJavaClientSslTest { + + private SocketIOServer server; + + @AfterEach + public void tearDown() { + if (server != null) { + server.stop(); + server = null; + } + } + + @Test + public void shouldReceiveHelloEventAndAckOverWssFromJavaClient() throws Exception { + int port = allocatePort(); + CountDownLatch serverReceivedHello = new CountDownLatch(1); + CountDownLatch clientReceivedAck = new CountDownLatch(1); + CountDownLatch engineHandshakeDone = new CountDownLatch(1); + AtomicReference connectError = new AtomicReference<>(); + + server = startServer(port, testSslConfig(), serverReceivedHello); + + X509TrustManager trustAll = new X509TrustManager() { + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType) { + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType) { + } + + @Override + public X509Certificate[] getAcceptedIssuers() { + return new X509Certificate[0]; + } + }; + SSLContext sslContext = SSLContext.getInstance("TLS"); + sslContext.init(null, new TrustManager[] { trustAll }, new SecureRandom()); + + OkHttpClient okHttp = new OkHttpClient.Builder() + .sslSocketFactory(sslContext.getSocketFactory(), trustAll) + .hostnameVerifier((hostname, session) -> true) + .readTimeout(1, TimeUnit.MINUTES) + .build(); + + IO.Options opts = new IO.Options(); + opts.forceNew = true; + opts.reconnection = false; + opts.transports = new String[] { "websocket" }; + opts.webSocketFactory = okHttp; + opts.callFactory = okHttp; + + Socket socket = IO.socket("https://127.0.0.1:" + port, opts); + try { + socket.on(Socket.EVENT_CONNECT_ERROR, args -> { + Object first = args.length > 0 ? args[0] : null; + if (first instanceof Throwable) { + connectError.set((Throwable) first); + } else { + connectError.set(new IllegalStateException(String.valueOf(first))); + } + engineHandshakeDone.countDown(); + }); + socket.on(Socket.EVENT_CONNECT, args -> { + try { + JSONObject payload = new JSONObject(); + payload.put("a", 1); + socket.emit("hello", payload, (Ack) ackArgs -> { + if (ackArgs.length > 0 && "ok".equals(String.valueOf(ackArgs[0]))) { + clientReceivedAck.countDown(); + } + }); + } catch (Exception e) { + connectError.set(e); + } finally { + engineHandshakeDone.countDown(); + } + }); + socket.connect(); + + assertTrue(engineHandshakeDone.await(20, TimeUnit.SECONDS), + () -> "Engine.IO handshake did not complete: " + connectError.get()); + assertNull(connectError.get(), () -> "connect_error: " + connectError.get()); + assertTrue(serverReceivedHello.await(15, TimeUnit.SECONDS), "server did not receive hello event"); + assertTrue(clientReceivedAck.await(15, TimeUnit.SECONDS), "client did not receive ack"); + } finally { + socket.disconnect(); + } + } + + @Test + public void shouldReceiveHelloEventAndAckOverPlainWebSocketFromJavaClient() throws Exception { + int port = allocatePort(); + CountDownLatch serverReceivedHello = new CountDownLatch(1); + CountDownLatch clientReceivedAck = new CountDownLatch(1); + CountDownLatch engineHandshakeDone = new CountDownLatch(1); + AtomicReference connectError = new AtomicReference<>(); + + server = startServer(port, null, serverReceivedHello); + + IO.Options opts = new IO.Options(); + opts.forceNew = true; + opts.reconnection = false; + opts.transports = new String[] { "websocket" }; + + Socket socket = IO.socket("http://127.0.0.1:" + port, opts); + try { + socket.on(Socket.EVENT_CONNECT_ERROR, args -> { + Object first = args.length > 0 ? args[0] : null; + if (first instanceof Throwable) { + connectError.set((Throwable) first); + } else { + connectError.set(new IllegalStateException(String.valueOf(first))); + } + engineHandshakeDone.countDown(); + }); + socket.on(Socket.EVENT_CONNECT, args -> { + try { + JSONObject payload = new JSONObject(); + payload.put("a", 1); + socket.emit("hello", payload, (Ack) ackArgs -> { + if (ackArgs.length > 0 && "ok".equals(String.valueOf(ackArgs[0]))) { + clientReceivedAck.countDown(); + } + }); + } catch (Exception e) { + connectError.set(e); + } finally { + engineHandshakeDone.countDown(); + } + }); + socket.connect(); + + assertTrue(engineHandshakeDone.await(20, TimeUnit.SECONDS), + () -> "Engine.IO handshake did not complete: " + connectError.get()); + assertNull(connectError.get(), () -> "connect_error: " + connectError.get()); + assertTrue(serverReceivedHello.await(15, TimeUnit.SECONDS), "server did not receive hello event"); + assertTrue(clientReceivedAck.await(15, TimeUnit.SECONDS), "client did not receive ack"); + } finally { + socket.disconnect(); + } + } + + private SocketIOServer startServer(int port, SocketSslConfig ssl, CountDownLatch hello) { + Configuration cfg = new Configuration(); + cfg.setPort(port); + cfg.setOrigin("*"); + if (ssl != null) { + cfg.setSocketSslConfig(ssl); + } + cfg.setTransportType(TransportType.NIO); + + SocketIOServer s = new SocketIOServer(cfg); + s.addEventListener("hello", Map.class, (client, data, ackSender) -> { + hello.countDown(); + ackSender.sendAckData("ok"); + }); + s.start(); + return s; + } + + private SocketSslConfig testSslConfig() throws Exception { + SocketSslConfig ssl = new SocketSslConfig(); + ssl.setSSLProtocol("TLSv1.2"); + ssl.setKeyStoreFormat("PKCS12"); + ssl.setKeyStorePassword("password"); + + InputStream ks = SocketIoJavaClientSslTest.class.getClassLoader() + .getResourceAsStream("ssl/test-socketio.p12"); + assertNotNull(ks, "Missing test keystore resource ssl/test-socketio.p12"); + ssl.setKeyStore(ks); + return ssl; + } + + private int allocatePort() throws Exception { + try (ServerSocket ss = new ServerSocket(0)) { + ss.setReuseAddress(true); + return ss.getLocalPort(); + } + } +} diff --git a/netty-socketio-core/src/test/resources/ssl/test-socketio.p12 b/netty-socketio-core/src/test/resources/ssl/test-socketio.p12 new file mode 100644 index 0000000000000000000000000000000000000000..1a471d2a9337b9051c5d411b7aa64c603b01b6bd GIT binary patch literal 2748 zcma)8cT^IL76$@Ua*|S*JGZ7_CRk}`XwKX@GAu`_Ir>DhauI6cz|j!XQXFNDFXzi` zikTxEIWlvll%@%M&J-K3ciuaF=l%8GANSmIf8+jlf9Ikoum%ut4~hcwh6-ukwz&OO z1SkMxP+(4A3e4^oY>lEoYW|CY6oDy_{9kbHucAZu{>LQ@1A-V72<{hn0(I%P10sTQ zM`8aSg;82y$;iY*Td->tv}UIwbL>yk71Q8pBnYG?4gxBmgrS1}-Ut$c08p|}p$oSy zfPQW^AXt@D z<7D%M3iW8L(FZm zrf?`HJw(lQ_hfybO&&2i>#-sloC)vJa*J%@8xR>2c+))-MQ;wPw6nGY$jx=_MeHQW zo?ER`8_gPP5Ru{2N4>L8zU*WoT*;3H6n`A=n3f$@ViGEEcWzz`nvn<^m3o)bw*%OH zk(G}ryt;qqs1jOlp3&k>ZJ?UBIft<~P;cb}uNAwL5gzRlC<8N{V|68ys>fqnVr zwkj8UuFiLc;Stx=E17X}hwOv->6kQZF|yHOV={*@ZsbTmhZvKCjjHl*sGW)#Qait% z*z8746%u*fa=>gnnx2)u{DU0^9sk+RdrsC#&B!?YogL?&L+icy^>7YRq6O!Jr!3_Y zYyOe0j?-ueFm;(pA}ww;iG4u#W;|~h(TF?4xlSP2=L`z8Hx-)&o_#5K9G>CYQRE$3 zH#m5~AmQ3vZi1A=giJDR3Y-1Dqs|qKu=>{OhIb#3nRn<4f|5!keaB@&N>_Vo!|s#gVFC%k`V0AW6H( zEULP~=_{W#SGg7uo*Dxh6$*PZ0*KL1-o21@H^gT-3TX63+fdz4i4;9v9_PQcCYf25 z5+zgCRYNLkQV!ZUZ+Js1%hm~>c33A1UL`TWr8F*Y(wUpA`}jg~LY&{_)}7fIul>)6 z2Ejs%YZJ)>_~~JHtK6BEv~NhS(o{HOPsG>#XH(}g0~fTSlhnWV+&FR(OLWA3snO`_ zXXSe3{k6FAuB?(Qxa{?%k8D`*rJ5`c`|CzAcuZwJd|p^f>*2{AzaI{<#5Yk@-_9kU zj|7VC4ptKu7E>HY0*q+h_=n9lUoVDHVZAk<2dXxXgnh!_Tl8q`;?C(F^uBw!*keuI zDr6v5Tg<+BR(-@XZ;|qT->ZipLs>IH2Uc|~;SW{~4wTC&c`}t)Abr4msalxVO?r8V z11wX`&NSyNA~UDA%C-YS`R8rxiGg>gY&*fR1}?py1)ioT(x4!(3(=@WwbLU6%;2$LR+Q=a;2wU5(4Ck7AH`ql<_PgNI-e6bDOzh<8>JJsy z^}4HuwG~y*qcC0c;;JPGa;!Bet2#0+$qhd_aNriA+sCA~ zTIbvG`5Bvgmw!64i>%Uf?eM1j2F|Ac-nC?tl}!!dN6Su8HOvh;=STNHDWDHD%J@%O zcns!V30ssA6X`w9lv5F?L=V;2ezW#h;jZQ$>n^|W9%|M4jwdPrV*I=@sk&bRx4x|? zG2@Y6F%r%u%{iU9!uzgooK4Df$NbzN&B?R(yEWh4GP>!-fZ zcU83F*#8sN^-oP+9g*uBN$jz)FZCPTB2&PCx%d_Oz-1@dC&cjAQl!`4E{1hx+E~}N z#Xku}U_feme1u_*NSgO@N_0a-VmTuGG5#$OH@Bw4EHWTA(v&C3xNKD)5N*;pf7YgL zGcZa*dY^-ii$#72wZ3${rh=Sipv2KvYV}@xEiI>9zKOILcG08d#dR#vkiPC>XI_X0 zjiEqyB><5=#>Qvh6L*~*w5^QhIpO`KXWOY$qw!mg6$d{S_p|*i=>=5x`aYCT4 zoqvfwAPyVZF>`a~Bid$K*8!*YS3Cp)v4d!vDflPcT4_7zT`fSak7dY=W0PG!aD|ETtF23e9?PvILdyk1*9p3$Jy0TXMgjhP$z%B}JJ@#xB z5a)S{N_z7J-_&!;0&A*7AGhQD6EI?ij+$8D2f7|Z?#RxwN9 za?5Q(Tl|bRH6edRY6=Rqi&d-anAnF^$?WttT|3!)Q+!tX(XHlAJ*y#C(;MBzSId+$ zSgk|%?9xRRKewE8j%2kp-X@=JPAVSPGaF1h7*xc`--;KO*VN$|`8f43Y+&>LfV z($Al2Ia_rzL~C+P?{(Nc#1^fz@-W5$azIhxyOYh#V?*M1I9SmG->IeA#Y zYuVcKoXMLH78yxS)VJ9;u^dmx{)y@`C534_cp8?3JnRqFM>OJLcy4vn<`V zj{`qNMs&W8FsBlD_NLC5MSS()%Yu+#SM1GC)yo39p9yYR^a z*bF~sUNd{@P?ritC{O0I(v^PH#arD)jS>DVIrJyK@f=8utDkgL+j}pMQyv?;FaHCM zK^-+eCe+{dj1wIhD>MhEl5;eknx+)h6rPB$=Gq{u<^~ma?iC_|=2oeNx+%Wq`nXi2 zkSt-qQChdmHL<)MpA|0(jr+ITt)`P98(U$_xi&fBf zo~OcBr#&xPb}OzLg?GXyuf4kv5&9<@W72Ckrh1xP(oRTX%#H2; zbs(UhXKj>GwkR}8_1=Wy<-gyUqAd7@>;I7a`#jS8)tENettySocketIO Spring Boot Examples - 4.1.119.Final + 4.2.9.Final diff --git a/pom.xml b/pom.xml index a2917e19..da8838fb 100644 --- a/pom.xml +++ b/pom.xml @@ -66,6 +66,7 @@ UTF-8 2.0.3 4.2.9.Final + 2.0.74.Final 1.50 1.18.4 6.0.2 @@ -278,6 +279,11 @@ netty-codec ${netty.version} + + io.netty + netty-tcnative-boringssl-static + ${netty.tcnative.version} + io.netty netty-transport-native-epoll From c45d67ef0c2cc9b3cffdd2c1b0b4df572c95d270 Mon Sep 17 00:00:00 2001 From: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Date: Tue, 31 Mar 2026 10:04:06 +0800 Subject: [PATCH 2/9] fix(ssl): validate ssl protocol names Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> --- .../socketio/SocketIOChannelInitializer.java | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java index 75441c17..a68ea7be 100644 --- a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java +++ b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java @@ -212,8 +212,17 @@ private SslContext createSSLContext(SocketSslConfig socketSslConfig) throws Exce SslProvider sslProvider = OpenSsl.isAvailable() ? SslProvider.OPENSSL : SslProvider.JDK; SslContextBuilder builder = SslContextBuilder.forServer(kmf).sslProvider(sslProvider); - if (socketSslConfig.getSSLProtocol() != null) { - builder.protocols(socketSslConfig.getSSLProtocol()); + String sslProtocol = socketSslConfig.getSSLProtocol(); + if (sslProtocol != null) { + // SocketSslConfig historically accepted SSLContext algorithm names like "TLS". + // SslContextBuilder.protocols(...) expects concrete enabled protocol versions. + if (isTlsProtocolVersion(sslProtocol)) { + builder.protocols(sslProtocol); + } else { + log.warn("Ignoring SocketSslConfig.sslProtocol='{}' because it is not a concrete TLS protocol " + + "version (expected values like 'TLSv1.2' or 'TLSv1.3'). Using provider defaults instead.", + sslProtocol); + } } if (socketSslConfig.getTrustStore() != null) { TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); @@ -225,6 +234,15 @@ private SslContext createSSLContext(SocketSslConfig socketSslConfig) throws Exce return builder.build(); } + private static boolean isTlsProtocolVersion(String value) { + // Common enabled-protocol tokens used by JSSE/Netty. + // Accept "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3". + if (value == null) { + return false; + } + return value.matches("^TLSv1(\\.[0-3])?$"); + } + @Override public void onDisconnect(ClientHead client) { ackManager.onDisconnect(client); From a33b37c2b3fec1453a130235b3734b9a779aa5e3 Mon Sep 17 00:00:00 2001 From: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Date: Tue, 31 Mar 2026 10:09:36 +0800 Subject: [PATCH 3/9] fix(ssl): try-with-resources ssl context Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> --- .../socketio4j/socketio/SocketIOChannelInitializer.java | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java index a68ea7be..2f57a994 100644 --- a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java +++ b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java @@ -16,6 +16,7 @@ */ package com.socketio4j.socketio; +import java.io.InputStream; import java.security.KeyStore; import javax.net.ssl.SSLEngine; @@ -204,7 +205,9 @@ protected Object newContinueResponse(HttpMessage start, int maxContentLength, private SslContext createSSLContext(SocketSslConfig socketSslConfig) throws Exception { KeyStore ks = KeyStore.getInstance(socketSslConfig.getKeyStoreFormat()); - ks.load(socketSslConfig.getKeyStore(), socketSslConfig.getKeyStorePassword().toCharArray()); + try (InputStream keyStoreStream = socketSslConfig.getKeyStore()) { + ks.load(keyStoreStream, socketSslConfig.getKeyStorePassword().toCharArray()); + } KeyManagerFactory kmf = KeyManagerFactory.getInstance(socketSslConfig.getKeyManagerFactoryAlgorithm()); kmf.init(ks, socketSslConfig.getKeyStorePassword().toCharArray()); @@ -227,7 +230,9 @@ private SslContext createSSLContext(SocketSslConfig socketSslConfig) throws Exce if (socketSslConfig.getTrustStore() != null) { TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); KeyStore ts = KeyStore.getInstance(socketSslConfig.getTrustStoreFormat()); - ts.load(socketSslConfig.getTrustStore(), socketSslConfig.getTrustStorePassword().toCharArray()); + try (InputStream trustStoreStream = socketSslConfig.getTrustStore()) { + ts.load(trustStoreStream, socketSslConfig.getTrustStorePassword().toCharArray()); + } tmf.init(ts); builder.trustManager(tmf); } From 3117f43c331098550c39f6aef310f0f2a1e1ad96 Mon Sep 17 00:00:00 2001 From: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Date: Tue, 31 Mar 2026 10:20:47 +0800 Subject: [PATCH 4/9] fix(ssl): optimize flaky tests and accept 0 port Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> --- .../socketio4j/socketio/SocketIOServer.java | 10 +++++++++ .../transport/SocketIoJavaClientSslTest.java | 22 +++++++++++-------- 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOServer.java b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOServer.java index 62fc8486..b10d233b 100644 --- a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOServer.java +++ b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOServer.java @@ -598,6 +598,16 @@ public Future startAsync() { if (future.isSuccess()) { ChannelFuture cf = (ChannelFuture) future; serverChannel.set(cf.channel()); + if (configCopy.getPort() == 0) { + try { + InetSocketAddress local = (InetSocketAddress) cf.channel().localAddress(); + int actualPort = local.getPort(); + configCopy.setPort(actualPort); + configuration.setPort(actualPort); + } catch (Exception ignore) { + // keep configured port if localAddress is not InetSocketAddress + } + } serverStatus.set(ServerStatus.STARTED); log.info("SocketIO server started on port {}", configCopy.getPort()); installShutdownHookOnce(); diff --git a/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java b/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java index 02a5a47d..53d05606 100644 --- a/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java +++ b/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java @@ -17,7 +17,6 @@ package com.socketio4j.socketio.transport; import java.io.InputStream; -import java.net.ServerSocket; import java.security.SecureRandom; import java.security.cert.X509Certificate; import java.util.Map; @@ -64,13 +63,14 @@ public void tearDown() { @Test public void shouldReceiveHelloEventAndAckOverWssFromJavaClient() throws Exception { - int port = allocatePort(); CountDownLatch serverReceivedHello = new CountDownLatch(1); CountDownLatch clientReceivedAck = new CountDownLatch(1); CountDownLatch engineHandshakeDone = new CountDownLatch(1); AtomicReference connectError = new AtomicReference<>(); - server = startServer(port, testSslConfig(), serverReceivedHello); + server = startServer(0, testSslConfig(), serverReceivedHello); + int port = awaitBoundPort(server); + assertTrue(port > 0, "server did not bind an ephemeral port"); X509TrustManager trustAll = new X509TrustManager() { @Override @@ -142,13 +142,14 @@ public X509Certificate[] getAcceptedIssuers() { @Test public void shouldReceiveHelloEventAndAckOverPlainWebSocketFromJavaClient() throws Exception { - int port = allocatePort(); CountDownLatch serverReceivedHello = new CountDownLatch(1); CountDownLatch clientReceivedAck = new CountDownLatch(1); CountDownLatch engineHandshakeDone = new CountDownLatch(1); AtomicReference connectError = new AtomicReference<>(); - server = startServer(port, null, serverReceivedHello); + server = startServer(0, null, serverReceivedHello); + int port = awaitBoundPort(server); + assertTrue(port > 0, "server did not bind an ephemeral port"); IO.Options opts = new IO.Options(); opts.forceNew = true; @@ -224,10 +225,13 @@ private SocketSslConfig testSslConfig() throws Exception { return ssl; } - private int allocatePort() throws Exception { - try (ServerSocket ss = new ServerSocket(0)) { - ss.setReuseAddress(true); - return ss.getLocalPort(); + private static int awaitBoundPort(SocketIOServer server) throws InterruptedException { + long deadlineNs = System.nanoTime() + TimeUnit.SECONDS.toNanos(5); + int port = server.getConfiguration().getPort(); + while (port == 0 && System.nanoTime() < deadlineNs) { + Thread.sleep(10); + port = server.getConfiguration().getPort(); } + return port; } } From 8f31846f2737fee54b25df36bb930af0ba47e03e Mon Sep 17 00:00:00 2001 From: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Date: Wed, 1 Apr 2026 11:00:15 +0800 Subject: [PATCH 5/9] fix(ssl): optimize test cases and ssl restart Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> --- .../socketio/SocketIOChannelInitializer.java | 23 +++-- .../socketio4j/socketio/SocketSslConfig.java | 67 ++++++++++++- .../socketio/SocketSslServerRestartTest.java | 72 ++++++++++++++ .../transport/SocketIoJavaClientSslTest.java | 99 +++++++++++++++++++ 4 files changed, 253 insertions(+), 8 deletions(-) create mode 100644 netty-socketio-core/src/test/java/com/socketio4j/socketio/SocketSslServerRestartTest.java diff --git a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java index 2f57a994..f7b781d3 100644 --- a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java +++ b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java @@ -16,6 +16,7 @@ */ package com.socketio4j.socketio; +import java.io.ByteArrayInputStream; import java.io.InputStream; import java.security.KeyStore; @@ -114,7 +115,7 @@ public void start(Configuration configuration, NamespacesHub namespacesHub) { String connectPath = configuration.getContext() + "/"; SocketSslConfig socketSslConfig = configuration.getSocketSslConfig(); - boolean isSsl = socketSslConfig != null && socketSslConfig.getKeyStore() != null; + boolean isSsl = socketSslConfig != null && socketSslConfig.hasKeyStore(); if (isSsl) { try { sslContext = createSSLContext(socketSslConfig); @@ -161,7 +162,7 @@ protected void addSslHandler(ChannelPipeline pipeline) { engine.setUseClientMode(false); if (configuration.isNeedClientAuth() && configuration.getSocketSslConfig() != null - && configuration.getSocketSslConfig().getTrustStore() != null) { + && configuration.getSocketSslConfig().hasTrustStore()) { engine.setNeedClientAuth(true); } pipeline.addLast(SSL_HANDLER, new SslHandler(engine)); @@ -204,8 +205,12 @@ protected Object newContinueResponse(HttpMessage start, int maxContentLength, } private SslContext createSSLContext(SocketSslConfig socketSslConfig) throws Exception { + byte[] keyMaterial = socketSslConfig.resolveKeyStoreBytes(); + if (keyMaterial == null) { + throw new IllegalStateException("SocketSslConfig key store material is missing"); + } KeyStore ks = KeyStore.getInstance(socketSslConfig.getKeyStoreFormat()); - try (InputStream keyStoreStream = socketSslConfig.getKeyStore()) { + try (InputStream keyStoreStream = new ByteArrayInputStream(keyMaterial)) { ks.load(keyStoreStream, socketSslConfig.getKeyStorePassword().toCharArray()); } @@ -227,10 +232,14 @@ private SslContext createSSLContext(SocketSslConfig socketSslConfig) throws Exce sslProtocol); } } - if (socketSslConfig.getTrustStore() != null) { + if (socketSslConfig.hasTrustStore()) { + byte[] trustMaterial = socketSslConfig.resolveTrustStoreBytes(); + if (trustMaterial == null) { + throw new IllegalStateException("SocketSslConfig trust store material is missing"); + } TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); KeyStore ts = KeyStore.getInstance(socketSslConfig.getTrustStoreFormat()); - try (InputStream trustStoreStream = socketSslConfig.getTrustStore()) { + try (InputStream trustStoreStream = new ByteArrayInputStream(trustMaterial)) { ts.load(trustStoreStream, socketSslConfig.getTrustStorePassword().toCharArray()); } tmf.init(ts); @@ -241,11 +250,11 @@ private SslContext createSSLContext(SocketSslConfig socketSslConfig) throws Exce private static boolean isTlsProtocolVersion(String value) { // Common enabled-protocol tokens used by JSSE/Netty. - // Accept "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3". + // Accept "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"; reject "TLSv1.0" and other dotted minors. if (value == null) { return false; } - return value.matches("^TLSv1(\\.[0-3])?$"); + return value.matches("^TLSv1(\\.(1|2|3))?$"); } @Override diff --git a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketSslConfig.java b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketSslConfig.java index 6b76b8fc..d4314b8d 100644 --- a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketSslConfig.java +++ b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketSslConfig.java @@ -16,6 +16,7 @@ */ package com.socketio4j.socketio; +import java.io.IOException; import java.io.InputStream; import javax.net.ssl.KeyManagerFactory; @@ -31,6 +32,10 @@ public class SocketSslConfig { private InputStream trustStore; private String trustStorePassword; + private final Object sslMaterialLock = new Object(); + private byte[] cachedKeyStoreBytes; + private byte[] cachedTrustStoreBytes; + private String keyManagerFactoryAlgorithm = KeyManagerFactory.getDefaultAlgorithm(); /** @@ -47,7 +52,12 @@ public String getKeyStorePassword() { } /** - * SSL key store stream, maybe appointed to any source + * SSL key store stream, maybe appointed to any source. + *

+ * On the first TLS context build when the server starts, the stream is read fully into memory and closed; + * later start/stop cycles reuse the buffered bytes so the same {@code SocketSslConfig} instance remains valid. + * After buffering, {@link #getKeyStore()} returns {@code null}. + *

* * @param keyStore - key store input stream */ @@ -59,6 +69,31 @@ public InputStream getKeyStore() { return keyStore; } + /** + * Whether a key store is configured (stream not yet consumed or already buffered). + */ + public boolean hasKeyStore() { + synchronized (sslMaterialLock) { + return keyStore != null || cachedKeyStoreBytes != null; + } + } + + byte[] resolveKeyStoreBytes() throws IOException { + synchronized (sslMaterialLock) { + if (cachedKeyStoreBytes != null) { + return cachedKeyStoreBytes; + } + if (keyStore == null) { + return null; + } + try (InputStream in = keyStore) { + cachedKeyStoreBytes = in.readAllBytes(); + } + keyStore = null; + return cachedKeyStoreBytes; + } + } + /** * Key store format * @@ -85,10 +120,40 @@ public InputStream getTrustStore() { return trustStore; } + /** + * Trust store stream. Same buffering and lifecycle as {@link #setKeyStore(InputStream)}. + * + * @param trustStore trust store input stream + */ public void setTrustStore(InputStream trustStore) { this.trustStore = trustStore; } + /** + * Whether a trust store is configured (stream not yet consumed or already buffered). + */ + public boolean hasTrustStore() { + synchronized (sslMaterialLock) { + return trustStore != null || cachedTrustStoreBytes != null; + } + } + + byte[] resolveTrustStoreBytes() throws IOException { + synchronized (sslMaterialLock) { + if (cachedTrustStoreBytes != null) { + return cachedTrustStoreBytes; + } + if (trustStore == null) { + return null; + } + try (InputStream in = trustStore) { + cachedTrustStoreBytes = in.readAllBytes(); + } + trustStore = null; + return cachedTrustStoreBytes; + } + } + public String getTrustStorePassword() { return trustStorePassword; } diff --git a/netty-socketio-core/src/test/java/com/socketio4j/socketio/SocketSslServerRestartTest.java b/netty-socketio-core/src/test/java/com/socketio4j/socketio/SocketSslServerRestartTest.java new file mode 100644 index 00000000..7322c7b7 --- /dev/null +++ b/netty-socketio-core/src/test/java/com/socketio4j/socketio/SocketSslServerRestartTest.java @@ -0,0 +1,72 @@ +/** + * Copyright (c) 2025 The Socketio4j Project + * Parent project : Copyright (c) 2012-2025 Nikita Koksharov + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.socketio4j.socketio; + +import java.io.InputStream; +import java.util.concurrent.TimeUnit; + +import org.junit.jupiter.api.Test; + +import com.socketio4j.socketio.nativeio.TransportType; + +import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertTrue; + +/** + * Ensures TLS material from {@link SocketSslConfig} survives stop/start when streams are not reusable. + */ +public class SocketSslServerRestartTest { + + @Test + public void shouldStartStopStartWithSameSocketSslConfig() throws Exception { + Configuration cfg = new Configuration(); + cfg.setPort(0); + cfg.setOrigin("*"); + cfg.setTransportType(TransportType.NIO); + + SocketSslConfig ssl = new SocketSslConfig(); + ssl.setSSLProtocol("TLSv1.2"); + ssl.setKeyStoreFormat("PKCS12"); + ssl.setKeyStorePassword("password"); + InputStream ks = SocketSslServerRestartTest.class.getClassLoader() + .getResourceAsStream("ssl/test-socketio.p12"); + assertNotNull(ks, "Missing test keystore ssl/test-socketio.p12"); + ssl.setKeyStore(ks); + + cfg.setSocketSslConfig(ssl); + + SocketIOServer server = new SocketIOServer(cfg); + server.start(); + int port = awaitBoundPort(server); + assertTrue(port > 0); + server.stop(); + + assertDoesNotThrow(server::start, "second start should rebuild SSL from buffered keystore bytes"); + server.stop(); + } + + private static int awaitBoundPort(SocketIOServer server) throws InterruptedException { + long deadlineNs = System.nanoTime() + TimeUnit.SECONDS.toNanos(5); + int port = server.getConfiguration().getPort(); + while (port == 0 && System.nanoTime() < deadlineNs) { + Thread.sleep(10); + port = server.getConfiguration().getPort(); + } + return port; + } +} diff --git a/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java b/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java index 53d05606..a3897d56 100644 --- a/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java +++ b/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java @@ -22,6 +22,7 @@ import java.util.Map; import java.util.concurrent.CountDownLatch; import java.util.concurrent.TimeUnit; +import java.util.concurrent.atomic.AtomicBoolean; import java.util.concurrent.atomic.AtomicReference; import javax.net.ssl.SSLContext; @@ -42,6 +43,7 @@ import io.socket.client.Socket; import okhttp3.OkHttpClient; +import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -140,6 +142,96 @@ public X509Certificate[] getAcceptedIssuers() { } } + /** + * Exercises polling first (POST body via {@code PollingTransport.onPost}), then upgrade to WebSocket. + * Server pushes an event right after connect so delivery runs while the client may still be on polling. + */ + @Test + public void shouldPollUpgradeToWebSocketWithServerPushAndClientHelloAckOverWss() throws Exception { + CountDownLatch serverReceivedHello = new CountDownLatch(1); + CountDownLatch clientReceivedAck = new CountDownLatch(1); + CountDownLatch clientReceivedWelcome = new CountDownLatch(1); + CountDownLatch engineHandshakeDone = new CountDownLatch(1); + AtomicReference connectError = new AtomicReference<>(); + AtomicBoolean unexpectedDisconnect = new AtomicBoolean(false); + + server = startServer(0, testSslConfig(), serverReceivedHello, true); + int port = awaitBoundPort(server); + assertTrue(port > 0, "server did not bind an ephemeral port"); + + X509TrustManager trustAll = new X509TrustManager() { + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType) { + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType) { + } + + @Override + public X509Certificate[] getAcceptedIssuers() { + return new X509Certificate[0]; + } + }; + SSLContext sslContext = SSLContext.getInstance("TLS"); + sslContext.init(null, new TrustManager[] { trustAll }, new SecureRandom()); + + OkHttpClient okHttp = new OkHttpClient.Builder() + .sslSocketFactory(sslContext.getSocketFactory(), trustAll) + .hostnameVerifier((hostname, session) -> true) + .readTimeout(1, TimeUnit.MINUTES) + .build(); + + IO.Options opts = new IO.Options(); + opts.forceNew = true; + opts.reconnection = false; + opts.transports = new String[] { "polling", "websocket" }; + opts.webSocketFactory = okHttp; + opts.callFactory = okHttp; + + Socket socket = IO.socket("https://127.0.0.1:" + port, opts); + try { + socket.on(Socket.EVENT_DISCONNECT, args -> unexpectedDisconnect.set(true)); + socket.on(Socket.EVENT_CONNECT_ERROR, args -> { + Object first = args.length > 0 ? args[0] : null; + if (first instanceof Throwable) { + connectError.set((Throwable) first); + } else { + connectError.set(new IllegalStateException(String.valueOf(first))); + } + engineHandshakeDone.countDown(); + }); + socket.on("welcome", args -> clientReceivedWelcome.countDown()); + socket.on(Socket.EVENT_CONNECT, args -> { + try { + JSONObject payload = new JSONObject(); + payload.put("a", 1); + socket.emit("hello", payload, (Ack) ackArgs -> { + if (ackArgs.length > 0 && "ok".equals(String.valueOf(ackArgs[0]))) { + clientReceivedAck.countDown(); + } + }); + } catch (Exception e) { + connectError.set(e); + } finally { + engineHandshakeDone.countDown(); + } + }); + socket.connect(); + + assertTrue(engineHandshakeDone.await(20, TimeUnit.SECONDS), + () -> "Engine.IO handshake did not complete: " + connectError.get()); + assertNull(connectError.get(), () -> "connect_error: " + connectError.get()); + assertFalse(unexpectedDisconnect.get(), "client disconnected before assertions"); + assertTrue(clientReceivedWelcome.await(15, TimeUnit.SECONDS), "client did not receive server welcome on polling/upgrade path"); + assertTrue(serverReceivedHello.await(15, TimeUnit.SECONDS), "server did not receive hello event"); + assertTrue(clientReceivedAck.await(15, TimeUnit.SECONDS), "client did not receive ack"); + assertFalse(unexpectedDisconnect.get(), "client disconnected during polling upgrade or ack"); + } finally { + socket.disconnect(); + } + } + @Test public void shouldReceiveHelloEventAndAckOverPlainWebSocketFromJavaClient() throws Exception { CountDownLatch serverReceivedHello = new CountDownLatch(1); @@ -195,6 +287,10 @@ public void shouldReceiveHelloEventAndAckOverPlainWebSocketFromJavaClient() thro } private SocketIOServer startServer(int port, SocketSslConfig ssl, CountDownLatch hello) { + return startServer(port, ssl, hello, false); + } + + private SocketIOServer startServer(int port, SocketSslConfig ssl, CountDownLatch hello, boolean sendWelcomeOnConnect) { Configuration cfg = new Configuration(); cfg.setPort(port); cfg.setOrigin("*"); @@ -208,6 +304,9 @@ private SocketIOServer startServer(int port, SocketSslConfig ssl, CountDownLatch hello.countDown(); ackSender.sendAckData("ok"); }); + if (sendWelcomeOnConnect) { + s.addConnectListener(client -> client.sendEvent("welcome", "from-server")); + } s.start(); return s; } From 58e2eb656e7059fd77ef570ff45a5bf9c2528706 Mon Sep 17 00:00:00 2001 From: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Date: Wed, 1 Apr 2026 17:01:18 +0800 Subject: [PATCH 6/9] fix(ssl): optimize config loading compliance to Java 8 Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> --- .../socketio4j/socketio/SocketSslConfig.java | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketSslConfig.java b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketSslConfig.java index d4314b8d..93640aa3 100644 --- a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketSslConfig.java +++ b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketSslConfig.java @@ -16,6 +16,7 @@ */ package com.socketio4j.socketio; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; @@ -87,7 +88,13 @@ byte[] resolveKeyStoreBytes() throws IOException { return null; } try (InputStream in = keyStore) { - cachedKeyStoreBytes = in.readAllBytes(); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + byte[] buffer = new byte[4096]; + int read; + while ((read = in.read(buffer)) != -1) { + out.write(buffer, 0, read); + } + cachedKeyStoreBytes = out.toByteArray(); } keyStore = null; return cachedKeyStoreBytes; @@ -147,7 +154,13 @@ byte[] resolveTrustStoreBytes() throws IOException { return null; } try (InputStream in = trustStore) { - cachedTrustStoreBytes = in.readAllBytes(); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + byte[] buffer = new byte[4096]; + int read; + while ((read = in.read(buffer)) != -1) { + out.write(buffer, 0, read); + } + cachedTrustStoreBytes = out.toByteArray(); } trustStore = null; return cachedTrustStoreBytes; From fb01ac943e970b9eae4b89bd8333f51dc765612f Mon Sep 17 00:00:00 2001 From: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Date: Thu, 2 Apr 2026 08:59:42 +0800 Subject: [PATCH 7/9] fix(ssl): fix check style Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> --- .../socketio4j/socketio/SocketIOChannelInitializer.java | 9 +++++++-- .../socketio4j/socketio/transport/PollingTransport.java | 4 ++-- .../socketio/transport/WebSocketTransport.java | 2 +- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java index f7b781d3..6170c013 100644 --- a/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java +++ b/netty-socketio-core/src/main/java/com/socketio4j/socketio/SocketIOChannelInitializer.java @@ -20,9 +20,9 @@ import java.io.InputStream; import java.security.KeyStore; +import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLEngine; import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.KeyManagerFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -217,7 +217,12 @@ private SslContext createSSLContext(SocketSslConfig socketSslConfig) throws Exce KeyManagerFactory kmf = KeyManagerFactory.getInstance(socketSslConfig.getKeyManagerFactoryAlgorithm()); kmf.init(ks, socketSslConfig.getKeyStorePassword().toCharArray()); - SslProvider sslProvider = OpenSsl.isAvailable() ? SslProvider.OPENSSL : SslProvider.JDK; + SslProvider sslProvider; + if (OpenSsl.isAvailable()) { + sslProvider = SslProvider.OPENSSL; + } else { + sslProvider = SslProvider.JDK; + } SslContextBuilder builder = SslContextBuilder.forServer(kmf).sslProvider(sslProvider); String sslProtocol = socketSslConfig.getSSLProtocol(); diff --git a/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/PollingTransport.java b/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/PollingTransport.java index f6dcc7c5..1e34aeae 100644 --- a/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/PollingTransport.java +++ b/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/PollingTransport.java @@ -41,12 +41,12 @@ import io.netty.channel.ChannelInboundHandlerAdapter; import io.netty.handler.codec.http.DefaultHttpResponse; import io.netty.handler.codec.http.FullHttpRequest; -import io.netty.handler.codec.http.HttpRequestDecoder; -import io.netty.handler.codec.http.HttpServerCodec; import io.netty.handler.codec.http.HttpHeaderNames; import io.netty.handler.codec.http.HttpMethod; +import io.netty.handler.codec.http.HttpRequestDecoder; import io.netty.handler.codec.http.HttpResponse; import io.netty.handler.codec.http.HttpResponseStatus; +import io.netty.handler.codec.http.HttpServerCodec; import io.netty.handler.codec.http.QueryStringDecoder; import io.netty.handler.codec.http.websocketx.WebSocket13FrameDecoder; diff --git a/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/WebSocketTransport.java b/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/WebSocketTransport.java index 616b9224..d1fb1609 100644 --- a/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/WebSocketTransport.java +++ b/netty-socketio-core/src/main/java/com/socketio4j/socketio/transport/WebSocketTransport.java @@ -51,11 +51,11 @@ import io.netty.handler.codec.http.QueryStringDecoder; import io.netty.handler.codec.http.websocketx.BinaryWebSocketFrame; import io.netty.handler.codec.http.websocketx.CloseWebSocketFrame; -import io.netty.handler.codec.http.websocketx.WebSocketFrame; import io.netty.handler.codec.http.websocketx.PingWebSocketFrame; import io.netty.handler.codec.http.websocketx.PongWebSocketFrame; import io.netty.handler.codec.http.websocketx.TextWebSocketFrame; import io.netty.handler.codec.http.websocketx.WebSocket13FrameDecoder; +import io.netty.handler.codec.http.websocketx.WebSocketFrame; import io.netty.handler.codec.http.websocketx.WebSocketFrameAggregator; import io.netty.handler.codec.http.websocketx.WebSocketServerHandshaker; import io.netty.handler.codec.http.websocketx.WebSocketServerHandshakerFactory; From 5e5aaf198de1184a96792870ac039d53c3bad958 Mon Sep 17 00:00:00 2001 From: sanjomo Date: Thu, 2 Apr 2026 15:47:04 +0530 Subject: [PATCH 8/9] test with just polling transport - ssl and non ssl --- .../transport/SocketIoJavaClientSslTest.java | 133 ++++++++++++++++++ 1 file changed, 133 insertions(+) diff --git a/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java b/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java index a3897d56..ab5a262d 100644 --- a/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java +++ b/netty-socketio-core/src/test/java/com/socketio4j/socketio/transport/SocketIoJavaClientSslTest.java @@ -286,6 +286,139 @@ public void shouldReceiveHelloEventAndAckOverPlainWebSocketFromJavaClient() thro } } + @Test + public void shouldReceiveHelloEventAndAckOverPollingFromJavaClient() throws Exception { + CountDownLatch serverReceivedHello = new CountDownLatch(1); + CountDownLatch clientReceivedAck = new CountDownLatch(1); + CountDownLatch engineHandshakeDone = new CountDownLatch(1); + AtomicReference connectError = new AtomicReference<>(); + + server = startServer(0, testSslConfig(), serverReceivedHello); + int port = awaitBoundPort(server); + assertTrue(port > 0, "server did not bind an ephemeral port"); + + X509TrustManager trustAll = new X509TrustManager() { + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType) { + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType) { + } + + @Override + public X509Certificate[] getAcceptedIssuers() { + return new X509Certificate[0]; + } + }; + SSLContext sslContext = SSLContext.getInstance("TLS"); + sslContext.init(null, new TrustManager[] { trustAll }, new SecureRandom()); + + OkHttpClient okHttp = new OkHttpClient.Builder() + .sslSocketFactory(sslContext.getSocketFactory(), trustAll) + .hostnameVerifier((hostname, session) -> true) + .readTimeout(1, TimeUnit.MINUTES) + .build(); + + IO.Options opts = new IO.Options(); + opts.forceNew = true; + opts.reconnection = false; + opts.transports = new String[] { "polling" }; + opts.webSocketFactory = okHttp; + opts.callFactory = okHttp; + + Socket socket = IO.socket("https://127.0.0.1:" + port, opts); + try { + socket.on(Socket.EVENT_CONNECT_ERROR, args -> { + Object first = args.length > 0 ? args[0] : null; + if (first instanceof Throwable) { + connectError.set((Throwable) first); + } else { + connectError.set(new IllegalStateException(String.valueOf(first))); + } + engineHandshakeDone.countDown(); + }); + socket.on(Socket.EVENT_CONNECT, args -> { + try { + JSONObject payload = new JSONObject(); + payload.put("a", 1); + socket.emit("hello", payload, (Ack) ackArgs -> { + if (ackArgs.length > 0 && "ok".equals(String.valueOf(ackArgs[0]))) { + clientReceivedAck.countDown(); + } + }); + } catch (Exception e) { + connectError.set(e); + } finally { + engineHandshakeDone.countDown(); + } + }); + socket.connect(); + + assertTrue(engineHandshakeDone.await(20, TimeUnit.SECONDS), + () -> "Engine.IO handshake did not complete: " + connectError.get()); + assertNull(connectError.get(), () -> "connect_error: " + connectError.get()); + assertTrue(serverReceivedHello.await(15, TimeUnit.SECONDS), "server did not receive hello event"); + assertTrue(clientReceivedAck.await(15, TimeUnit.SECONDS), "client did not receive ack"); + } finally { + socket.disconnect(); + } + } + + @Test + public void shouldReceiveHelloEventAndAckOverPlainPollingFromJavaClient() throws Exception { + CountDownLatch serverReceivedHello = new CountDownLatch(1); + CountDownLatch clientReceivedAck = new CountDownLatch(1); + CountDownLatch engineHandshakeDone = new CountDownLatch(1); + AtomicReference connectError = new AtomicReference<>(); + + server = startServer(0, null, serverReceivedHello); + int port = awaitBoundPort(server); + assertTrue(port > 0, "server did not bind an ephemeral port"); + + IO.Options opts = new IO.Options(); + opts.forceNew = true; + opts.reconnection = false; + opts.transports = new String[] { "polling" }; + + Socket socket = IO.socket("http://127.0.0.1:" + port, opts); + try { + socket.on(Socket.EVENT_CONNECT_ERROR, args -> { + Object first = args.length > 0 ? args[0] : null; + if (first instanceof Throwable) { + connectError.set((Throwable) first); + } else { + connectError.set(new IllegalStateException(String.valueOf(first))); + } + engineHandshakeDone.countDown(); + }); + socket.on(Socket.EVENT_CONNECT, args -> { + try { + JSONObject payload = new JSONObject(); + payload.put("a", 1); + socket.emit("hello", payload, (Ack) ackArgs -> { + if (ackArgs.length > 0 && "ok".equals(String.valueOf(ackArgs[0]))) { + clientReceivedAck.countDown(); + } + }); + } catch (Exception e) { + connectError.set(e); + } finally { + engineHandshakeDone.countDown(); + } + }); + socket.connect(); + + assertTrue(engineHandshakeDone.await(20, TimeUnit.SECONDS), + () -> "Engine.IO handshake did not complete: " + connectError.get()); + assertNull(connectError.get(), () -> "connect_error: " + connectError.get()); + assertTrue(serverReceivedHello.await(15, TimeUnit.SECONDS), "server did not receive hello event"); + assertTrue(clientReceivedAck.await(15, TimeUnit.SECONDS), "client did not receive ack"); + } finally { + socket.disconnect(); + } + } + private SocketIOServer startServer(int port, SocketSslConfig ssl, CountDownLatch hello) { return startServer(port, ssl, hello, false); } From 4e21900b8252f9b821ea6db7ae6988d944dee75f Mon Sep 17 00:00:00 2001 From: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Date: Fri, 3 Apr 2026 14:46:10 +0800 Subject: [PATCH 9/9] fix(ssl): fix new keystore mechanism tests Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> --- .../starter/config/SocketIOOriginConfigurationTest.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/netty-socketio-spring-boot-starter/src/test/java/com/socketio4j/socketio/test/spring/boot/starter/config/SocketIOOriginConfigurationTest.java b/netty-socketio-spring-boot-starter/src/test/java/com/socketio4j/socketio/test/spring/boot/starter/config/SocketIOOriginConfigurationTest.java index 4918911e..186c078a 100644 --- a/netty-socketio-spring-boot-starter/src/test/java/com/socketio4j/socketio/test/spring/boot/starter/config/SocketIOOriginConfigurationTest.java +++ b/netty-socketio-spring-boot-starter/src/test/java/com/socketio4j/socketio/test/spring/boot/starter/config/SocketIOOriginConfigurationTest.java @@ -34,10 +34,11 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertTrue; @DisplayName("Test for Socket.IO configuration properties") public class SocketIOOriginConfigurationTest extends BaseSpringApplicationTest { - private static final int PORT = 9090; + private static final int PORT = 19090; private static final int MAX_HEADER_SIZE = 1024; private static final boolean TCP_KEEP_ALIVE = true; @@ -149,7 +150,8 @@ public void testSocketConfigProperties() { @Test @DisplayName("Test SSL configuration properties") public void testSslConfigProperties() { - assertNotNull(nettySocketIOSslConfigProperties.getKeyStore(), "Key store should be loaded"); + assertTrue(nettySocketIOSslConfigProperties.hasKeyStore(), + "Key store should be configured (stream may be null after TLS material is buffered on server start)"); assertNotNull(nettySocketIOSslConfigProperties.getKeyStorePassword(), "Key store password should be loaded"); SocketSslConfig socketSslConfig = new SocketSslConfig();