RFR: 8044609: javax.net.debug options not working and documented as expected [v19]
Bradford Wetmore
wetmore at openjdk.org
Fri Sep 12 18:42:41 UTC 2025
On Tue, 2 Sep 2025 11:00:08 GMT, Sean Coffey <coffeys at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/ssl/SSLLogger.java line 128:
>>
>>> 126: // javax.net.debug would be misconfigured property with respect
>>> 127: // to logging if value didn't contain "all" or "ssl"
>>> 128: logging = Opt.ALL.on || Opt.SSL.on;
>>
>> I don't have a strong feeling about this either way, but a usage question here.
>>
>> If they have specified some args but not `ssl`. e.g.
>>
>> -Djavax.net.debug=trustmanager,keymanager
>>
>> Should we:
>>
>> 1. quietly ignore as this is are doing
>> 2. output a single log message saying logging is disabled.
>> 3. a fatal error
>
> I'm leaning towards option 1. no logging gets enabled in misconfigured values. I've test code covering this scenario.
>
> option 2 might be useful and if there's a strong desire for that, perhaps we can alter in follow on JDK issue.
> option 3 sounds a bit heavy handed, Don't think we need to have a fatal error. Also, since the load time for loading SSLLogger is variable, it could be dangerous (e.g. app runs fine for 1st 10 mins and then trigger an error etc)
I am fine with #1. We'll see if anyone requests. Just wanted to bring it up as an option.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18764#discussion_r2342660580
More information about the security-dev
mailing list