On Wed, 30 Apr 2025 13:01:45 GMT, Sean Coffey <coff...@openjdk.org> wrote:
>> The `javax.net.debug` TLS debug option is buggy since TLSv1.3 implementation
>> was introduced many years ago.
>>
>> Where "ssl" was previously a value to obtain all TLS debug traces (except
>> network type dumps, verbose data), it now prints only a few lines for a
>> standard client TLS connection.
>>
>> The property parsing was also lax and allowed users to declare verbose
>> logging options by themselves where the documentation stated that such
>> verbose options were only meant to be used in conjunction with other TLS
>> options :
>>
>>
>> System.err.println("help print the help messages");
>> System.err.println("expand expand debugging information");
>> System.err.println();
>> System.err.println("all turn on all debugging");
>> System.err.println("ssl turn on ssl debugging");
>> System.err.println();
>> System.err.println("The following can be used with ssl:");
>> System.err.println("\trecord enable per-record tracing");
>> System.err.println("\thandshake print each handshake message");
>> System.err.println("\tkeygen print key generation data");
>> System.err.println("\tsession print session activity");
>> System.err.println("\tdefaultctx print default SSL
>> initialization");
>> System.err.println("\tsslctx print SSLContext tracing");
>> System.err.println("\tsessioncache print session cache tracing");
>> System.err.println("\tkeymanager print key manager tracing");
>> System.err.println("\ttrustmanager print trust manager tracing");
>> System.err.println("\tpluggability print pluggability tracing");
>> System.err.println();
>> System.err.println("\thandshake debugging can be widened with:");
>> System.err.println("\tdata hex dump of each handshake
>> message");
>> System.err.println("\tverbose verbose handshake message
>> printing");
>> System.err.println();
>> System.err.println("\trecord debugging can be widened with:");
>> System.err.println("\tplaintext hex dump of record plaintext");
>> System.err.println("\tpacket print raw SSL/TLS packets");
>>
>>
>> as part of this patch, I've also moved the log call to the more performant
>> friendly
>> `System.Logger#log(java.lang.System.Logger.Level,java.util.function.Supplier)`
>> method.
>>
>> the output has changed slightly with respect to that - less verbose
>>
>> e.g. old...
>
> Sean Coffey has updated the pull request incrementally with one additional
> commit since the last revision:
>
> remove whitespace
Seems to be agreement that the javax.net.debug property should behave in the
following manner:
"all" indicates that all debug data will be logged
"ssl" by itself indicates that all debug data except data from the "data" and
"packet" categories will be logged
"ssl" followed by any number of sub-components indicates that generic ssl data
will be logged along will more specific data from the subcomponents specified.
As always, an empty value means a System Logger is used.
Overhaul of SSLLogger to represent debug levels via a new enum (SSLLogger.Opt)
- this has a couple of benefits:
* ensure that calling sites use a documented setting instead of string values
* much simpler isOn(..) logic which can be a high volume call when logging is
enabled.
the new isOn method boils down to much simpler logic :
public static boolean isOn(Opt option) {
return Opt.ALL.on || option.on;
}
test coverage also improved.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/18764#issuecomment-2841928550
