diff --git a/src/share/classes/sun/security/ssl/ServerHandshaker.java b/src/share/classes/sun/security/ssl/ServerHandshaker.java --- a/src/share/classes/sun/security/ssl/ServerHandshaker.java +++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java @@ -1004,6 +1004,8 @@ } List legacySuites = new ArrayList<>(); + StringBuilder sb = new StringBuilder( + "Server handshake: CipherSuites attempted: ["); for (CipherSuite suite : prefered.collection()) { if (isNegotiable(proposed, suite) == false) { continue; @@ -1024,6 +1026,7 @@ if (trySetCipherSuite(suite) == false) { continue; } + sb.append(suite + ","); return; } @@ -1031,8 +1034,16 @@ if (trySetCipherSuite(suite)) { return; } + sb.append(suite + ","); } + // no suites in common. Print the list tried in debug mode + if (sb.charAt(sb.length()-1) == ',') { + sb.setCharAt(sb.length()-1, ']'); + } else { + sb.append(']'); + } + debugPrint(sb.toString()); fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common"); } @@ -1050,6 +1061,7 @@ * This method is called from chooseCipherSuite() in this class. */ boolean trySetCipherSuite(CipherSuite suite) { + debugPrint("trySetCipherSuite for :" + suite); /* * If we're resuming a session we know we can * support this key exchange algorithm and in fact @@ -1186,6 +1198,7 @@ break; case K_ECDHE_RSA: // need RSA certs for authentication + debugPrint("fetching RSA certs for K_ECDHE_RSA"); if (setupPrivateKeyAndChain("RSA") == false) { return false; } @@ -1419,6 +1432,7 @@ * @return true if successful, false if not available or invalid */ private boolean setupPrivateKeyAndChain(String algorithm) { + debugPrint("setupPrivateKeyAndChain: algorithm:" + algorithm); X509ExtendedKeyManager km = sslContext.getX509KeyManager(); String alias; if (conn != null) { @@ -1427,20 +1441,25 @@ alias = km.chooseEngineServerAlias(algorithm, null, engine); } if (alias == null) { + debugPrint("setupPrivateKeyAndChain: alias was null"); return false; } PrivateKey tempPrivateKey = km.getPrivateKey(alias); if (tempPrivateKey == null) { + debugPrint("setupPrivateKeyAndChain: tempPrivateKey was null"); return false; } X509Certificate[] tempCerts = km.getCertificateChain(alias); if ((tempCerts == null) || (tempCerts.length == 0)) { + debugPrint("setupPrivateKeyAndChain: no temp certs found"); return false; } String keyAlgorithm = algorithm.split("_")[0]; PublicKey publicKey = tempCerts[0].getPublicKey(); if ((tempPrivateKey.getAlgorithm().equals(keyAlgorithm) == false) || (publicKey.getAlgorithm().equals(keyAlgorithm) == false)) { + debugPrint("setupPrivateKeyAndChain: algorithm mismatch." + + "public key algorithm :" + publicKey.getAlgorithm()); return false; } // For ECC certs, check whether we support the EC domain parameters. @@ -1448,19 +1467,24 @@ // check against that too. if (keyAlgorithm.equals("EC")) { if (publicKey instanceof ECPublicKey == false) { + debugPrint("setupPrivateKeyAndChain: publicKey not instance of ECPublicKey." + + " it was :" + publicKey.getClass().getName()); return false; } ECParameterSpec params = ((ECPublicKey)publicKey).getParams(); int index = SupportedEllipticCurvesExtension.getCurveIndex(params); if (SupportedEllipticCurvesExtension.isSupported(index) == false) { + debugPrint("setupPrivateKeyAndChain: SupportedEllipticCurvesExtension issue"); return false; } if ((supportedCurves != null) && !supportedCurves.contains(index)) { + debugPrint("setupPrivateKeyAndChain: supportedCurves issue"); return false; } } this.privateKey = tempPrivateKey; this.certs = tempCerts; + debugPrint("setupPrivateKeyAndChain: returning true for:" + algorithm); return true; } @@ -1886,4 +1910,10 @@ session.setPeerCertificates(peerCerts); } + + private static void debugPrint(String s) { + if (debug != null && Debug.isOn("handshake")) { + System.out.println(s); } + } +}