Details
-
Enhancement
-
Resolution: Fixed
-
P4
-
8, 9
-
b54
-
generic
-
generic
Backports
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8083994 | emb-9 | Jason Uh | P4 | Resolved | Fixed | team |
| JDK-8086836 | 8u65 | Jason Uh | P4 | Resolved | Fixed | b01 |
| JDK-8075626 | 8u60 | Sean Coffey | P4 | Resolved | Fixed | b10 |
| JDK-8138057 | emb-8u65 | Unassigned | P4 | Resolved | Fixed | b01 |
| JDK-8078992 | emb-8u60 | Jason Uh | P4 | Resolved | Fixed | team |
| JDK-8143171 | 7-pool | Sean Coffey | P4 | Closed | Won't Fix |
Description
Worked a recent case where alot of confusion existed around how the truststore and keystore got set up. The debug logs did not print the location of either AFAIK.
The keystore was being specified correct via a system property but the application code loading the store was buggy :
something like :
InputStream kis =
getClass().getClassLoader().getResourceAsStream(keyfile);
instead of :
ks.load(new FileInputStream(keyfile), keypass.toCharArray());
was being used to load in the certs.
during client authentication this was observed with debug logs :
===================
*** CertificateRequest
<snip>
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
***
<snip>
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
==================
i.e "***" is used to denote no certs - that's poor from our side and we should at least print something like "no certs in keystore: <keystore location>"
For comparison - this is what a successful loading of keystore looked like :
*** CertificateRequest
....<snip>
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
matching alias: mykey
*** Certificate chain
chain [0] = [
<snip> --> Subject: CN=my company aaaaaa, O=Third Party, DC=db, DC=com
chain [1] =
<snip> --> Subject: CN=my company bbbbbbbb, OU=PKI, O=DD AG, C=DE
chain [2] =
<snip> --> Subject: CN=my company ccccccccc, OU=PKI, O=DD AG, C=DE
<snip>
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
The keystore was being specified correct via a system property but the application code loading the store was buggy :
something like :
InputStream kis =
getClass().getClassLoader().getResourceAsStream(keyfile);
instead of :
ks.load(new FileInputStream(keyfile), keypass.toCharArray());
was being used to load in the certs.
during client authentication this was observed with debug logs :
===================
*** CertificateRequest
<snip>
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
***
<snip>
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
==================
i.e "***" is used to denote no certs - that's poor from our side and we should at least print something like "no certs in keystore: <keystore location>"
For comparison - this is what a successful loading of keystore looked like :
*** CertificateRequest
....<snip>
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
matching alias: mykey
*** Certificate chain
chain [0] = [
<snip> --> Subject: CN=my company aaaaaa, O=Third Party, DC=db, DC=com
chain [1] =
<snip> --> Subject: CN=my company bbbbbbbb, OU=PKI, O=DD AG, C=DE
chain [2] =
<snip> --> Subject: CN=my company ccccccccc, OU=PKI, O=DD AG, C=DE
<snip>
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Attachments
Issue Links
- backported by
-
JDK-8075626 keystore and truststore debug output could be much better
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Closed
-
(1 backported by)