On Wed, 24 Aug 2022 21:59:59 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:

>> The cipher suite enabled on the server side is not logged when "no common in 
>> cipher suites" error is thrown. Hope the developer could find the difference 
>> in the cipher suites between client and server.
>
> Even the cipher suites are the same between client and server, it may still 
> fail with "no common in cipher suites" error.  The cause of the bug is not 
> only about "no common in cipher suites" between client and server, but also 
> about the cases that the server cannot negotiate any of the common cipher 
> suites because of other facts.  If the cause is only about ""no common in 
> cipher suites", I don't think we need a fix as the message has been tell the 
> story.
> 
> It is not objected that cipher suite should not be logged.  The question 
> raised here is about when and how to log the cipher suite, and how to make 
> the log easier to read and easier to debug.

@XueleiFan  - I think it's fair to say that the current "no cipher suites in 
common" exception message is misleading for some scenarios. If not misleading, 
it's ambiguous. You could be dealing with a simple scenario where the server 
socket simply has no enabled cipher suites to match those coming in from the 
ClientHello. In the more complex scenario, something else has caused the fatal 
issues like a key exchange issue in TLSv1.2.  With the new debug data, we have 
some extra data points like the ciphersuites actually enabled, the preference 
of client or server suites etc. Coupled with the ClientHello data, I think it 
helps piece together a better idea of the server side scenario.

I've no strong preference on how often we print this debug data on server end. 
To cut back on log verbosity, perhaps on fatal/failing handshake scenarios is 
all that's required. 

If you feel strongly about printing debug data for each TLSServerSocket 
handshake, (including the extra data points that you've suggested) then please 
shout now. I do feel it'll add considerably to log size on busy TLS Servers.

-------------

PR: https://git.openjdk.org/jdk/pull/9731

Reply via email to