RFR: 8262880: Add support for the NSS Key Log Format for SSL/TLS keys
Sean Mullan
mullan at openjdk.java.net
Fri Mar 19 12:48:43 UTC 2021
On Thu, 18 Mar 2021 21:26:28 GMT, SalusaSecondus <github.com+829871+SalusaSecondus at openjdk.org> wrote:
>> It is not good practice to leave secret information in debug log. Also, it may be not a good practice to introduce new logger format, including file and NSS format, into the SSLLogger. Someone also may want to introduce log format for MSS or XSS as well. Instead, please consider to make use of the features of Java Logger if you want to write the log to files, or use any special format.
>
> @XueleiFan I'd really like to move this forward but I'm uncertain what changes you want me to make. This extra debugging information will be very valuable to those of us debugging Java TLS connections.
I am also not comfortable adding this feature to the JDK, especially since every build of the JDK would by default have this feature enabled. Logging sensitive information to log files is not good security practice (there are many references I could cite). I also think it would be too easy to accidentally leave the system property enabled or forget to remove the file.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2896
More information about the security-dev
mailing list