[9] request for review: 8055207: keystore and truststore debug output could be much better
Vincent Ryan
vincent.x.ryan at oracle.com
Fri Aug 22 10:47:09 UTC 2014
It's probably not obvious from the log that a TLS CertificateRequest
message is a request from the server for the client to supply its
authentication credentials. The client can comply, by returning its
certificate chain, or it can decline, by returning an empty certificate
chain.
Although a server has requested client authentication it may choose to
continue with the handshake even if the client has declined its request.
I'll add additional server-side and client-side log messages to clarify.
On 21/08/2014 22:38, Seán Coffey wrote:
> Looks good Vinnie. Thanks for handling this. One more comment from me..
> I recently worked with a group who were reading the verbose security
> messages when trying to debug an SSL connection issue. They weren't sure
> if two-way SSL authentication was set up between the server and client.
> Could we make the debug output a bit more obvious on that end also ? I
> parsed the full debug logs from the connection issue above and neither
> "client authentication" or "clientauthentication" appears in them (even
> though it was in use)
>
> see line 1446 :
> http://cr.openjdk.java.net/~vinnie/8055207/webrev.00/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java.html
>
>
>> s.println("*** CertificateRequest");
> To me this looks like the start of the client authentication request
> phase. Could we make the message more informative. Perhaps something
> like "*** CertificateRequest. Begin client authentication"
>
> Is that the only time such a message can be printed ?
>
> regards,
> Sean.
>
> On 21/08/2014 18:29, Vincent Ryan wrote:
>> Please review this trivial enhancement to JSSE to warn when TLS client
>> authentication cannot be completed
>> because of difficulty locating a suitable client certificate.
>> (Keystore file paths are already displayed by JSSE, when known)
>>
>> This is useful to help troubleshoot configuration issues related to
>> keystores and truststores.
>> Thanks.
>>
>>
>> Webrev: http://cr.openjdk.java.net/~vinnie/8055207/webrev.00/
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8055207
>
More information about the security-dev
mailing list