JDK-8055207 : keystore and truststore debug output could be much better
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8,9
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2014-08-15
  • Updated: 2015-11-17
  • Resolved: 2015-03-03
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u60Fixed 9 b54Fixed
Description
Worked a recent case where alot of confusion existed around how the truststore and keystore got set up. The debug logs did not print the location of either AFAIK.

The keystore was being specified correct via a system property but the application code loading the store was buggy :

something like : 
 InputStream kis =
                getClass().getClassLoader().getResourceAsStream(keyfile);

instead of : 
ks.load(new FileInputStream(keyfile), keypass.toCharArray());

was being used to load in the certs.

during client authentication this was observed with debug logs : 

===================
*** CertificateRequest
<snip>
*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0E 00 00 00                                        ....
*** Certificate chain
***
<snip>
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
==================

i.e "***" is used to denote no certs - that's poor from our side and we should at least print something like "no certs in keystore: <keystore location>"

For comparison - this is what a successful loading of keystore looked like : 

*** CertificateRequest
....<snip>
    *** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0E 00 00 00                                        ....
matching alias: mykey
*** Certificate chain
chain [0] = [
<snip> --> Subject: CN=my company aaaaaa, O=Third Party, DC=db, DC=com
chain [1] =
<snip> --> Subject: CN=my company bbbbbbbb, OU=PKI, O=DD AG, C=DE
chain [2] =
<snip> --> Subject: CN=my company ccccccccc, OU=PKI, O=DD AG, C=DE

<snip>
 *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Comments
noreg-other: This fix just enhances debug messages
03-03-2015
The file path to the keystore and the truststore will be printed in the debug log when they are known - for example, when the path names are supplied via system properties. They are not printed when a custom keystore or truststore manager is used because the path name is unknown (an input stream object rather than a file path is used). I agree it would be helpful for TLS to emit a warning message when an empty certificate chain is encountered. See sun.security.ssl.HandshakeMessage.CertificateMsg.print() http://hg.openjdk.java.net/jdk9/dev/jdk/file/6407a15e2274/src/share/classes/sun/security/ssl/HandshakeMessage.java#l490
19-08-2014
logs were collected using these debug flags -Djavax.net.debug=all -Djava.security.debug=all
15-08-2014