RFR: 8312383: Improve SSL debug log

Sean Coffey coffeys at openjdk.org
Wed Feb 7 14:21:53 UTC 2024 

On Wed, 7 Feb 2024 06:36:10 GMT, Prajwal Kumaraswamy <pkumaraswamy at openjdk.org> wrote:

> During the time of server certificate validation, users have the flexibility to use a custom X509 Key Manager implementation by extending "X509ExtendedKeyManager.".
> In such cases, printing the class name in X509Authentication.java will be helpful to trace any failure of the SSL connection due to a certificate issue.
> 
> I've tested the code by running the custom X509 manager, the default X509 manager, and passing the null key manager.
> The screen shots are attached here.
> [x509_screen_shot_testing.zip](https://github.com/openjdk/jdk/files/14189852/x509_screen_shot_testing.zip)
> 
> Also, the internal test runs against this fix are green



src/java.base/share/classes/sun/security/ssl/X509Authentication.java line 205:

> 203:         X509ExtendedKeyManager km = chc.sslContext.getX509KeyManager();
> 204:         if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
> 205:             SSLLogger.finest("X509ExtendedKeyManager being used: " +

Could the JBS title be made more descriptive ? It's quite vague.

I wonder if "X509KeyManager class: " would be better for displaying.

`createServerPossession` would also benefit from this logging enhancement. I wonder if this belongs in logging during SSLContext creation time instead. Other security-dev engineers may have opinion on that.

IIRC, there's another issue open where we iterate over the certificate contexts of custom tm/km types. The JDK src does it at the moment for the default tm/km but no output given for custom impl. Will be good to have that tied up at some stage also.

src/java.base/share/classes/sun/security/ssl/X509Authentication.java line 206:

> 204:         if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
> 205:             SSLLogger.finest("X509ExtendedKeyManager being used: " +
> 206:                     (km == null ? "null" : km.getClass().getName()));

do you need to cater for null ? I thought a Dummy manager is returned in such scenarios.

-------------

PR Review: https://git.openjdk.org/jdk/pull/17742#pullrequestreview-1867928511
PR Review Comment: https://git.openjdk.org/jdk/pull/17742#discussion_r1481545987
PR Review Comment: https://git.openjdk.org/jdk/pull/17742#discussion_r1481546624

More information about the security-dev mailing list