RFR: 8262880: Add support for the NSS Key Log Format for SSL/TLS keys

[SalusaSecondus]

On Thu, 11 Mar 2021 18:33:07 GMT, Volker Simonis <simonis at openjdk.org> wrote:

>> It is not good practice to leave secret information in debug log. Also, it may be not a good practice to introduce new logger format, including file and NSS format, into the SSLLogger.  Someone also may want to introduce log format for MSS or XSS as well. Instead, please consider to make use of the features of Java Logger if you want to write the log to files, or use any special format.
>
> I'm happy to create a CSR for this issue once the exact details of the option format have been figured out.

I am not familiar with either the MSS or XSS log formats and would be interested to see them. The NSS format is a defacto industry standard and already supported by many libraries (both producers and consumers) and thus used widely in the security industry. Most other uses that I can find take this similar pattern of providing a file-name to the TLS logic and then getting key log (in this format) written to that file.

I agree completely that logging secret information is dangerous and should almost never be done. That is why it has to be explicitly enabled (unlike most of the other `javax.net.debug` options) and another reason it is no commingled with the other logging output.

-------------

PR: https://git.openjdk.java.net/jdk/pull/2896