RFR: 8312383: Improve SSL debug log
Prajwal Kumaraswamy
pkumaraswamy at openjdk.org
Wed Feb 7 14:38:53 UTC 2024
On Wed, 7 Feb 2024 14:19:27 GMT, Sean Coffey <coffeys at openjdk.org> wrote:
>> During the time of server certificate validation, users have the flexibility to use a custom X509 Key Manager implementation by extending "X509ExtendedKeyManager.".
>> In such cases, printing the class name in X509Authentication.java will be helpful to trace any failure of the SSL connection due to a certificate issue.
>>
>> I've tested the code by running the custom X509 manager, the default X509 manager, and passing the null key manager.
>> The screen shots are attached here.
>> [x509_screen_shot_testing.zip](https://github.com/openjdk/jdk/files/14189852/x509_screen_shot_testing.zip)
>>
>> Also, the internal test runs against this fix are green
>
> src/java.base/share/classes/sun/security/ssl/X509Authentication.java line 206:
>
>> 204: if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
>> 205: SSLLogger.finest("X509ExtendedKeyManager being used: " +
>> 206: (km == null ? "null" : km.getClass().getName()));
>
> do you need to cater for null ? I thought a Dummy manager is returned in such scenarios.
No, I did verify that it always returns Dummy Manager even when key manager is initialized as null. I have added this as a safety net. I'll remove this.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/17742#discussion_r1481572517
More information about the security-dev
mailing list