RFR: 8044609: javax.net.debug options not working and documented as expected [v10]
Sean Coffey
coffeys at openjdk.org
Thu Nov 21 13:08:22 UTC 2024
On Thu, 21 Nov 2024 13:01:41 GMT, Sean Coffey <coffeys at openjdk.org> wrote:
>> The `javax.net.debug` TLS debug option is buggy since TLSv1.3 implementation was introduced many years ago.
>>
>> Where "ssl" was previously a value to obtain all TLS debug traces (except network type dumps, verbose data), it now prints only a few lines for a standard client TLS connection.
>>
>> The property parsing was also lax and allowed users to declare verbose logging options by themselves where the documentation stated that such verbose options were only meant to be used in conjunction with other TLS options :
>>
>>
>> System.err.println("help print the help messages");
>> System.err.println("expand expand debugging information");
>> System.err.println();
>> System.err.println("all turn on all debugging");
>> System.err.println("ssl turn on ssl debugging");
>> System.err.println();
>> System.err.println("The following can be used with ssl:");
>> System.err.println("\trecord enable per-record tracing");
>> System.err.println("\thandshake print each handshake message");
>> System.err.println("\tkeygen print key generation data");
>> System.err.println("\tsession print session activity");
>> System.err.println("\tdefaultctx print default SSL initialization");
>> System.err.println("\tsslctx print SSLContext tracing");
>> System.err.println("\tsessioncache print session cache tracing");
>> System.err.println("\tkeymanager print key manager tracing");
>> System.err.println("\ttrustmanager print trust manager tracing");
>> System.err.println("\tpluggability print pluggability tracing");
>> System.err.println();
>> System.err.println("\thandshake debugging can be widened with:");
>> System.err.println("\tdata hex dump of each handshake message");
>> System.err.println("\tverbose verbose handshake message printing");
>> System.err.println();
>> System.err.println("\trecord debugging can be widened with:");
>> System.err.println("\tplaintext hex dump of record plaintext");
>> System.err.println("\tpacket print raw SSL/TLS packets");
>>
>>
>> as part of this patch, I've also moved the log call to the more performant friendly `System.Logger#log(java.lang.System.Logger.Level,java.util.function.Supplier)` method.
>>
>> the output has changed slightly with respect to that - less verbose
>>
>> e.g. old...
>
> Sean Coffey has updated the pull request incrementally with one additional commit since the last revision:
>
> enum Options and logic
new changes pushed which use the enum design approach for component token management. The new test coverage has been very useful in helping me validate the changes.
after checking with Brad, `"javax.net.debug=ssl,typo"` type syntax will be allowed - it'll just ignore the unknown option and log as if "`ssl`" was specified.
Regards the sub-component options used in the security implementation classes, I think it's better to cover this work via JDK-8344158 where a full audit can be done. I've only updated logging values where an illegal string option was present. "`ssl`" was missing in a bunch of them. Having the logging call site have correct syntax helps to enforce the rules with various options.
logged https://bugs.openjdk.org/browse/JDK-8344685 to track your request to add back the `sessioncache `option
-------------
PR Comment: https://git.openjdk.org/jdk/pull/18764#issuecomment-2491097299
More information about the security-dev
mailing list