RFR: 8133816: Display extra SSLServerSocket info in debug mode [v3]

Sean Coffey coffeys at openjdk.org
Thu Aug 25 20:03:09 UTC 2022 

On Wed, 24 Aug 2022 21:59:59 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

>> The cipher suite enabled on the server side is not logged when "no common in cipher suites" error is thrown. Hope the developer could find the difference in the cipher suites between client and server.
>
> Even the cipher suites are the same between client and server, it may still fail with "no common in cipher suites" error.  The cause of the bug is not only about "no common in cipher suites" between client and server, but also about the cases that the server cannot negotiate any of the common cipher suites because of other facts.  If the cause is only about ""no common in cipher suites", I don't think we need a fix as the message has been tell the story.
> 
> It is not objected that cipher suite should not be logged.  The question raised here is about when and how to log the cipher suite, and how to make the log easier to read and easier to debug.

@XueleiFan  - I think it's fair to say that the current "no cipher suites in common" exception message is misleading for some scenarios. If not misleading, it's ambiguous. You could be dealing with a simple scenario where the server socket simply has no enabled cipher suites to match those coming in from the ClientHello. In the more complex scenario, something else has caused the fatal issues like a key exchange issue in TLSv1.2.  With the new debug data, we have some extra data points like the ciphersuites actually enabled, the preference of client or server suites etc. Coupled with the ClientHello data, I think it helps piece together a better idea of the server side scenario.

I've no strong preference on how often we print this debug data on server end. To cut back on log verbosity, perhaps on fatal/failing handshake scenarios is all that's required. 

If you feel strongly about printing debug data for each TLSServerSocket handshake, (including the extra data points that you've suggested) then please shout now. I do feel it'll add considerably to log size on busy TLS Servers.

-------------

PR: https://git.openjdk.org/jdk/pull/9731

More information about the security-dev mailing list