RFR: 8133816: Display extra SSLServerSocket info in debug mode [v3]
Xue-Lei Andrew Fan
xuelei at openjdk.org
Wed Aug 24 22:04:34 UTC 2022
On Wed, 24 Aug 2022 20:38:07 GMT, Weibing Xiao <duke at openjdk.org> wrote:
>> Thanks for the comments. I'm not sure if it is really helpful for developers to understand and debug the failure by reading the additionally dumped cipher suites and/or key exchange configuration. Given the server cipher suites TLS_AES_128_GCM_SHA256, can one really know the failure reason exactly?
>
> The cipher suite enabled on the server side is not logged when "no common in cipher suites" error is thrown. Hope the developer could find the difference in the cipher suites between client and server.
Even the cipher suites are the same between client and server, it may still fail with "no common in cipher suites" error. The cause of the bug is not only about "no common in cipher suites" between client and server, but also about the cases that the server cannot negotiate any of the common cipher suites because of other facts. If the cause is only about ""no common in cipher suites", I don't think we need a fix as the message has been tell the story.
It is not objected that cipher suite should not be logged. The question raised here is about when and how to log the cipher suite, and how to make the log easier to read and easier to debug.
-------------
PR: https://git.openjdk.org/jdk/pull/9731
More information about the security-dev
mailing list