RFR: 8044609: javax.net.debug options not working and documented as expected [v19]
Sean Coffey
coffeys at openjdk.org
Tue Sep 2 14:33:55 UTC 2025
On Mon, 1 Sep 2025 23:33:43 GMT, Bradford Wetmore <wetmore at openjdk.org> wrote:
>> Sean Coffey has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Initial review comments from Brad
>
> src/java.base/share/classes/sun/security/ssl/Alert.java line 228:
>
>> 226: public void consume(ConnectionContext context,
>> 227: ByteBuffer m) throws IOException {
>> 228: TransportContext tc = (TransportContext)context;
>
> Copyright updates throughout.
>
> I won't call out all cases, but noticed `Alert.java`, `AlpnExtension.java`, `CertificateAuthrotiesExtension.java`. Some of these may have been done in 2024 in earlier versions of this PR (sorry!), but some are earlier (2023, 2022, etc.)
Scanned all updated files - I think I should have them all with 2025 now.
> src/java.base/share/classes/sun/security/ssl/Alert.java line 231:
>
>> 229:
>> 230: AlertMessage am = new AlertMessage(tc, m);
>> 231: if (SSLLogger.logging && SSLLogger.isOn(SSLLogger.Opt.SSL)) {
>
> You're likely doing a line-line update, but in earlier discussions, we talked about not having `ssl` be a filter category on of its own? Did you decide not to got that route?
>
> That is, every call site should be some concrete enum value like `Opt.HANDSHAKE` and not a general `Opt.SSL`? For example: `Alert.java` and `SSLCipher.java`.
>
> This is more of a conversation starter than a request for change.
>
> There are some like the `Alert.java` sites that need to be assigned into the `Opt.HANDSHAKE` handshake category, but configuration items in `SSLCipher.java` don't fall cleanly into any existing category. We could have a config category, but maybe it is better to just leave as `ssl`?
>
>> ./Alert.java
>> ./DTLSInputRecord.java
>> ./DTLSOutputRecord.java
>> ./HandshakeOutStream.java
>> ./KeyUpdate.java
>> ./NamedGroup.java
>> ./OutputRecord.java
>> ./SessionTicketExtension.java
>> ./SSLCipher.java
>> ./SSLEngineImpl.java
>> ./SSLEngineOutputRecord.java
>> ./SSLSessionContextImpl.java
>> ./SSLSocketImpl.java
>> ./SSLSocketOutputRecord.java
>> ./SSLTransport.java
>> ./TransportContext.java
>> ./Utilities.java
>> ./X509Authentication.java
>
>
> Thoughts?
Yes - For the refactoring of the component values in calling code, I pretty much stuck to what was already there. I think allowing code to call via the Opt.SSL value is ok - some TLS code is generic to all components. *like TLS configuration data perhaps)
Yes - some calls probably deserve to be tidied off to a specific filter value - probably best for a follow on JBS issue.
> src/java.base/share/classes/sun/security/ssl/CertificateRequest.java line 815:
>
>> 813: hc.peerRequestedSignatureSchemes, // a CertificateVerify message later
>> 814: ka, hc.negotiatedProtocol) != null
>> 815: || SSLLogger.logWarning(SSLLogger.Opt.HANDSHAKE,
>
> <=80.
>
> Would you mind tweaking the area around this too? Thanks!
done
> src/java.base/share/classes/sun/security/ssl/ClientHello.java line 434:
>
>> 432: session = null;
>> 433: if (SSLLogger.logging &&
>> 434: SSLLogger.isOn(SSLLogger.Opt.HANDSHAKE_VERBOSE)) {
>
> Not your fault, but I'm not sure I like this as a verbose message.
In agreement. This sort of message strikes me as more in the `HANDSHAKE `category
Will I log a follow on JBS issue to have all call sites of `Opt `examined ?
> src/java.base/share/classes/sun/security/ssl/SSLLogger.java line 79:
>
>> 77: help();
>> 78: }
>> 79: logger = new SSLConsoleLogger("javax.net.ssl", p);
>
> Would you mind adding a comment that this takes care of the `expand` keyword, as all of the other options are processed in the new way? Thanks.
I've added a comment and tweaked the code here. We can pass boolean in SSLConsoleLogger constructor call
> src/java.base/share/classes/sun/security/ssl/SSLLogger.java line 128:
>
>> 126: // javax.net.debug would be misconfigured property with respect
>> 127: // to logging if value didn't contain "all" or "ssl"
>> 128: logging = Opt.ALL.on || Opt.SSL.on;
>
> I don't have a strong feeling about this either way, but a usage question here.
>
> If they have specified some args but not `ssl`. e.g.
>
> -Djavax.net.debug=trustmanager,keymanager
>
> Should we:
>
> 1. quietly ignore as this is are doing
> 2. output a single log message saying logging is disabled.
> 3. a fatal error
I'm leaning towards option 1. no logging gets enabled in misconfigured values. I've test code covering this scenario.
option 2 might be useful and if there's a strong desire for that, perhaps we can alter in follow on JDK issue.
option 3 sounds a bit heavy handed, Don't think we need to have a fatal error. Also, since the load time for loading SSLLogger is variable, it could be dangerous (e.g. app runs fine for 1st 10 mins and then trigger an error etc)
> src/java.base/share/classes/sun/security/ssl/SSLLogger.java line 210:
>
>> 208: System.err.println("\tdefaultctx print default SSL initialization");
>> 209: System.err.println("\thandshake print each handshake message");
>> 210: System.err.println("\t verbose verbose handshake" +
>
> This line in particular is lining up pretty ragged in the actual output. Even in the github editor, it looks off due to the variable width fonts. Maybe we can use tabs to help? e.g. the current:
>
> handshake print each handshake message
> verbose verbose handshake message printing (widens handshake)
> keymanager print key manager tracing
> record enable per-record tracing
> plaintext hex dump of record plaintext (widens record)
> packet print raw SSL/TLS packets (widens record)
>
> vs.
>
> System.err.println("\tdefaultctx\tprint default SSL initialization");
> System.err.println("\thandshake\tprint each handshake message");
> System.err.println("\t\tverbose\tverbose handshake" +
> " message printing (widens handshake)");
Fair point. the tab approach crossed my mind yesterday but I stuck with original design. Just tried with tabs but it was quite ugly (too many spaces) - I've used the printf functionality. how does this look ?
help print this help message and exit
expand expanded (less compact) output format
all turn on all debugging
ssl turn on ssl debugging
The following filters can be used with ssl:
defaultctx print default SSL initialization
handshake print each handshake message
verbose -verbose handshake message printing (widens handshake)
keymanager print key manager tracing
record enable per-record tracing
packet -print raw SSL/TLS packets (widens record)
plaintext -hex dump of record plaintext (widens record)
respmgr print OCSP response tracing
session print session activity
sessioncache print session cache tracing
sslctx print SSLContext tracing
trustmanager print trust manager tracing
> src/java.base/share/classes/sun/security/ssl/SSLLogger.java line 216:
>
>> 214: System.err.println("\t plaintext hex dump of record" +
>> 215: " plaintext (widens record)");
>> 216: System.err.println("\t packet print raw SSL/TLS" +
>
> Order `packet` before `plaintext`?
fixed. thanks!
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18764#discussion_r2316095683
PR Review Comment: https://git.openjdk.org/jdk/pull/18764#discussion_r2316093383
PR Review Comment: https://git.openjdk.org/jdk/pull/18764#discussion_r2316110651
PR Review Comment: https://git.openjdk.org/jdk/pull/18764#discussion_r2316277275
PR Review Comment: https://git.openjdk.org/jdk/pull/18764#discussion_r2315725718
PR Review Comment: https://git.openjdk.org/jdk/pull/18764#discussion_r2315735365
PR Review Comment: https://git.openjdk.org/jdk/pull/18764#discussion_r2316085193
PR Review Comment: https://git.openjdk.org/jdk/pull/18764#discussion_r2316086202
More information about the security-dev
mailing list