RFR: 8044609: javax.net.debug options not working and documented as expected [v28]
Bradford Wetmore
wetmore at openjdk.org
Thu Feb 5 20:53:21 UTC 2026
On Thu, 5 Feb 2026 14:11:36 GMT, Sean Coffey <coffeys at openjdk.org> wrote:
>> The `javax.net.debug` TLS debug option is buggy since TLSv1.3 implementation was introduced many years ago.
>>
>> Where "ssl" was previously a value to obtain all TLS debug traces (except network type dumps, verbose data), it now prints only a few lines for a standard client TLS connection.
>>
>> The property parsing was also lax and allowed users to declare verbose logging options by themselves where the documentation stated that such verbose options were only meant to be used in conjunction with other TLS options :
>>
>>
>> System.err.println("help print the help messages");
>> System.err.println("expand expand debugging information");
>> System.err.println();
>> System.err.println("all turn on all debugging");
>> System.err.println("ssl turn on ssl debugging");
>> System.err.println();
>> System.err.println("The following can be used with ssl:");
>> System.err.println("\trecord enable per-record tracing");
>> System.err.println("\thandshake print each handshake message");
>> System.err.println("\tkeygen print key generation data");
>> System.err.println("\tsession print session activity");
>> System.err.println("\tdefaultctx print default SSL initialization");
>> System.err.println("\tsslctx print SSLContext tracing");
>> System.err.println("\tsessioncache print session cache tracing");
>> System.err.println("\tkeymanager print key manager tracing");
>> System.err.println("\ttrustmanager print trust manager tracing");
>> System.err.println("\tpluggability print pluggability tracing");
>> System.err.println();
>> System.err.println("\thandshake debugging can be widened with:");
>> System.err.println("\tdata hex dump of each handshake message");
>> System.err.println("\tverbose verbose handshake message printing");
>> System.err.println();
>> System.err.println("\trecord debugging can be widened with:");
>> System.err.println("\tplaintext hex dump of record plaintext");
>> System.err.println("\tpacket print raw SSL/TLS packets");
>>
>>
>> as part of this patch, I've also moved the log call to the more performant friendly `System.Logger#log(java.lang.System.Logger.Level,java.util.function.Supplier)` method.
>>
>> the output has changed slightly with respect to that - less verbose
>>
>> e.g. old...
>
> Sean Coffey has updated the pull request incrementally with one additional commit since the last revision:
>
> Further review comments from Brad
This is probably the last couple comments.
Thanks for addressing the merge issue!
src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java line 36:
> 34: import javax.net.ssl.SSLProtocolException;
> 35: import sun.security.ssl.SSLCipher.SSLReadCipher;
> 36: import static sun.security.ssl.SSLLogger.Opt.*;
Ugh...have to say I preferred the old style:
`SSLLogger.isOn(SSLLogger.Opt.____)`
Nothing technically wrong, just a personal preference, but the old way made it quick/easy to search for the various `Opt.*` values.
`grep SSL *` would get you many unrelated, vs `grep SSLLogger.Opt.SSL *`.
src/java.base/share/classes/sun/security/ssl/SSLLogger.java line 238:
> 236: " all non-widening filters are enabled.%n");
> 237: System.err.printf("%nSpecifying filter options with \"ssl\"" +
> 238: " includes messages for the selected categories, as well" +
Maybe:
`Specifying "ssl" with additional filter options produces the general SSL debug messages plus just the selected categories.`
Also, maybe add a`\n` after "selected"? It's very long on a 80 char screen.
-------------
PR Review: https://git.openjdk.org/jdk/pull/18764#pullrequestreview-3759304325
PR Review Comment: https://git.openjdk.org/jdk/pull/18764#discussion_r2771027880
PR Review Comment: https://git.openjdk.org/jdk/pull/18764#discussion_r2771063281
More information about the security-dev
mailing list