From 339ccee8a07ec0a8b3dede591fd1ae9cc648d3fd Mon Sep 17 00:00:00 2001
From: Carter Kozak <ckozak@ckozak.net>
Date: Sun, 29 Nov 2020 11:47:51 -0500
Subject: [PATCH 1/2] Reduce the client TLS session cache size

We've seen heap dumps with ~500mb of tls session cache despite an
expectation that connections are reused. These large session caches seem
to show that we are creating new sessions anyhow, so there's little
point in caching old data.
---
 .../dialogue/clients/AugmentClientConfig.java         | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/dialogue-clients/src/main/java/com/palantir/dialogue/clients/AugmentClientConfig.java b/dialogue-clients/src/main/java/com/palantir/dialogue/clients/AugmentClientConfig.java
index de1a54418..9ef88309a 100644
--- a/dialogue-clients/src/main/java/com/palantir/dialogue/clients/AugmentClientConfig.java
+++ b/dialogue-clients/src/main/java/com/palantir/dialogue/clients/AugmentClientConfig.java
@@ -27,6 +27,7 @@
 import com.palantir.tritium.metrics.registry.TaggedMetricRegistry;
 import java.security.Provider;
 import java.util.Optional;
+import javax.net.ssl.SSLContext;
 import org.immutables.value.Value;
 
 /**
@@ -64,13 +65,19 @@ static ClientConfiguration getClientConf(ServiceConfiguration serviceConfig, Aug
         ClientConfiguration.Builder builder =
                 ClientConfiguration.builder().from(ClientConfigurations.of(serviceConfig));
 
+        SSLContext context = augment.securityProvider()
+                .map(provider -> SslSocketFactories.createSslContext(serviceConfig.security(), provider))
+                .orElseGet(() -> SslSocketFactories.createSslContext(serviceConfig.security()));
+        // Reduce the session cache size for clients. We expect TLS connections to be reused, thus the cache isn't
+        // terribly important.
+        context.getClientSessionContext().setSessionCacheSize(100);
+        builder.sslSocketFactory(context.getSocketFactory());
+
         if (!serviceConfig.maxNumRetries().isPresent()) {
             augment.maxNumRetries().ifPresent(builder::maxNumRetries);
         }
 
         if (augment.securityProvider().isPresent()) {
-            builder.sslSocketFactory(SslSocketFactories.createSslSocketFactory(
-                    serviceConfig.security(), augment.securityProvider().get()));
             // Opt into GCM when custom providers (Conscrypt) is used.
             builder.enableGcmCipherSuites(true);
         }

From b9fdf1119ed0de5b5c609a1794e10af88d40810a Mon Sep 17 00:00:00 2001
From: Carter Kozak <ckozak@ckozak.net>
Date: Sun, 29 Nov 2020 16:47:51 +0000
Subject: [PATCH 2/2] Add generated changelog entries

---
 changelog/@unreleased/pr-1067.v2.yml | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 changelog/@unreleased/pr-1067.v2.yml

diff --git a/changelog/@unreleased/pr-1067.v2.yml b/changelog/@unreleased/pr-1067.v2.yml
new file mode 100644
index 000000000..7c0b4f66f
--- /dev/null
+++ b/changelog/@unreleased/pr-1067.v2.yml
@@ -0,0 +1,5 @@
+type: improvement
+improvement:
+  description: Reduce the client TLS session cache size
+  links:
+  - https://github.com/palantir/dialogue/pull/1067