On Thu, 11 Mar 2021 18:33:07 GMT, Volker Simonis <simo...@openjdk.org> wrote:
>> It is not good practice to leave secret information in debug log. Also, it >> may be not a good practice to introduce new logger format, including file >> and NSS format, into the SSLLogger. Someone also may want to introduce log >> format for MSS or XSS as well. Instead, please consider to make use of the >> features of Java Logger if you want to write the log to files, or use any >> special format. > > I'm happy to create a CSR for this issue once the exact details of the option > format have been figured out. I am not familiar with either the MSS or XSS log formats and would be interested to see them. The NSS format is a defacto industry standard and already supported by many libraries (both producers and consumers) and thus used widely in the security industry. Most other uses that I can find take this similar pattern of providing a file-name to the TLS logic and then getting key log (in this format) written to that file. I agree completely that logging secret information is dangerous and should almost never be done. That is why it has to be explicitly enabled (unlike most of the other `javax.net.debug` options) and another reason it is no commingled with the other logging output. ------------- PR: https://git.openjdk.java.net/jdk/pull/2896
