8350582: Correct the parsing of the ssl value in javax.net.debug

[coffeys]

Breaking the parent JDK-8044609 JBS issue into sub tasks.

This patch addresses the main issue which is that javax.net.debug=ssl option is completely broken since TLSv1.3 support was introduced. This patch should be easier for backporting also.

Wider corrections can be followed up via parent bug.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8350582: Correct the parsing of the ssl value in javax.net.debug (Sub-task - P3)

Reviewers

• Hai-May Chao (@haimaychao - Committer) Review applies to 0cf24eda
• Bradford Wetmore (@bradfordwetmore - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/23781/head:pull/23781
$ git checkout pull/23781

Update a local copy of the PR:
$ git checkout pull/23781
$ git pull https://git.openjdk.org/jdk.git pull/23781/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 23781

View PR using the GUI difftool:
$ git pr show -t 23781

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/23781.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back coffeys! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@coffeys This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8350582: Correct the parsing of the ssl value in javax.net.debug

Reviewed-by: wetmore, hchao

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 227 new commits pushed to the master branch:

• adcaf01: 8355237: Upstream AOT test cases from Leyden repo to mainline
• bf8a881: 8352733: Improve RotFontBoundsTest test
• 3571664: 8353478: Update crypto microbenchmarks to cover ML-DSA, ML-KEM, and HSS algorithms
• ... and 224 more: https://git.openjdk.org/jdk/compare/6c2667018a49ac78c3a01dc4d52ff6cdf39b7647...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[openjdk]

@coffeys The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 04: Full - Incremental (65758b93)
• 03: Full - Incremental (cb444611)
• 02: Full - Incremental (0cf24eda)
• 01: Full - Incremental (6262e539)
• 00: Full (c21285d8)

[coffeys]

Thanks for the feedback @myankelev - changes incorporated

[myankelev]

Thanks for the feedback @myankelev - changes incorporated

Thanks, LGTM

[driverkt]

nit: expect -> except

[driverkt]

This is surprising behavior. We want it to behave as if there was no suffix after ssl?

[coffeys]

yes, the javax.net.debug property doesn't specify any delimiter between options. Quite strange. It's also had the historical behaviour of printing all ssl details once the string property contains "ssl" with the exception that "sslctx" may be present.

Might target more behavioural changes via the JDK-8044609 parent bug but for now, this patch is mimimal to aid backporting to update releases.

[haimaychao]

Nit: copyright year update

[haimaychao]

Suggest we add verifying debug output when setting different javax.net.debug properties to the test summary.

[bridgekeeper]

@coffeys This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[bradfordwetmore]

Depending on the followup discussion of what ssl alone means.

However, several suggestions below, one might help with test coverage. If you take some/all, then I'll review again. Should be quick.

[bradfordwetmore]

Is ../.. actually needed?

It ran fine in another test directory several levels below this one.

[bradfordwetmore]

Minor nits. >= 80 chars in some lines.

You could leave as is, or shorten the searched-for message. I'm ok if you really want to leave, as I don't expect lots of changes in this file. (horizontal scrolling during reviews is my pet peeve)

Or you could do:

Produced ClientHello handshake message
->
Produced ClientHello handshake

[bradfordwetmore]

A suggestion that could ease/increase test coverage:

    HashMap<String, String> masterMap = new HashMap<>();

    // add one <String, String> for each output category.
    masterMap.put("handshake", "Produced ClientHello handshake message");
    // ...
    
    // for each testcase {
    //   missing = clone masterMap;  // start with the full map
    //   required = new HashMap();  // create an empty map
    //   for each key in the test case {
    //     missing.remove(value);
    //     required.add(value);
    //     }
    //   runTest();
    //   check each value String in required is present
    //   check each value String in missing is not
    // } 

You can then easily add test cases with:

test("ssl","handshake");   // use "..." params if you don't want to do String parsing, and have multiple params

[bradfordwetmore]

Isn't the summary supposed to match the bugid's description?

[bradfordwetmore]

Is this here because for running outside of jtreg, say via the command line?

[coffeys]

Thanks for your review @bradfordwetmore - I've fixed up the test case as per your review comments.

Breaking the test output logic into two maps sounds attractive but the logic isn't mutually exclusive for some of our debug options. In fact, the debug logic for sub-components is still broken and should be fixed up in the follow on 8044609 bug fix. The logger implementation is at odds with our help and docs menu. I have used a map to test for good/bad patterns but I've left the keys for those maps as user defined.

this fixes up special handling of the "ssl" option and restores it to the older TLSv1.2 stack approach.

[bradfordwetmore]

Thanks for addressing the other issues in the test e.g. main, ../.., and bug description.

In looking at the proposed test for this issue, what I was thinking of is actually a mix of 8350582 and future bug JDK-8044609 which cleans up the cat/subcats assignments.

This bug only handles the ssl change, so I'm thinking we should change the regtest for this bug to be a simple test looking for the effects of ssl with no data/verbose/plaintext/packet output, and move (or update) this more general test to be done for 8044609.

Thoughts?

[bradfordwetmore]

Missing a few more test cases for the more general test case.

session -> Session initialized:
packet -> Raw write
defaultctx -> (may not be able to add if you're using non-default contexts)
verbose -> Ignore unsupported cipher suite:

[coffeys]

This bug only handles the ssl change, so I'm thinking we should change the regtest for this bug to be a simple test looking for the effects of ssl with no data/verbose/plaintext/packet output, and move (or update) this more general test to be done for 8044609.

Thoughts?

Thanks for comments Brad. I've added extra component areas to the test.

JDK-8044609 will bring in further clean up. Given that we've zero test coverage in this area today, I think it's important/useful to have a test that reflects what the code is doing today. Some behaviour is broken I'd argue (and conflicts with our docs and help menus) The test can be modified further with the JDK-8044609 changes. It'll also help give us a better picture around impact of upcoming changes. For that reason, I'd like to keep the current test coverage.

[bradfordwetmore]

We never did hear from Xuelei, so will go with our best guess, which is that that change introduced a bug, and was not an intentional reversal of behavior as I initially believed.

I approve this PR with the strong urging that JDK-8044609 can be fixed in JDK 25, and hopefully backported together. That change should be able to be reviewed quickly, now that we are past this big issue.

[coffeys]

Thanks Brad - I plan to sync JDK-8044609 PR up with latest changes and restart work on it shortly.

/integrate

[openjdk]

Going to push as commit 1ec6481.
Since your change was applied there have been 246 commits pushed to the master branch:

• d3f31b0: 8347719: [REDO] Portable implementation of FORBID_C_FUNCTION and ALLOW_C_FUNCTION
• 6254046: 8320909: C2: Adapt IGVN's enqueuing logic to match idealization of AndNode with LShift operand
• 74a2c83: 8352620: C2: rename MemNode::memory_type() to MemNode::value_basic_type()
• ... and 243 more: https://git.openjdk.org/jdk/compare/6c2667018a49ac78c3a01dc4d52ff6cdf39b7647...master

Your commit was automatically rebased without conflicts.

[openjdk]

@coffeys Pushed as commit 1ec6481.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.