如何按需启用javax.net.debug [英] How to enable javax.net.debug on demand

问题描述

我们的应用程序使用Apache HttpClient 4.5.3，并且在使用SNI功能的客户端和服务器之间进行通信时，我们观察到非常奇怪的行为

Our application uses Apache HttpClient 4.5.3 and we are observing a very weird behavior with communication between our client and the server using SNI capability

如果SSL请求中包含我们的客户端期望的服务器名称(即服务器的主机名)，则服务器配置为返回Go Daddy签名证书，它将为所有其他服务器返回一个自签名证书域名

The server is configured to return a Go Daddy signed certificate if the SSL request comes in the with the server name expected from our client(ie: the host name of the server) and it will return a self signed certificate for all other domain names

观察到的行为

• 客户在我们生产机器上的所有服务器上都收到正确的服务器证书
• 客户端代码正在部署在tomcat 8上的应用程序中运行，我们注意到对端点的初始请求已成功通过.运行一段时间后，我们在客户端上收到一个SSL异常.
• 错误是因为服务器未发送正确的证书(它发送了默认的自签名证书)
• 如果我们重新启动部署了客户端的tomcat服务器，则呼叫将再次成功进行.

我们过去曾使用javax.net.debug进行调试，但在这种情况下我们无法使用它，因为我们需要重新启动tomcat服务器才能发挥作用，并且当我们重新启动tomcat服务器时，对端点服务器开始成功. 另外，javax.net.debug记录了大量信息，这些信息将淹没我们的日志，因此我们希望仅针对特定请求启用它. 我们希望仅记录客户端Hello(其中包含传递给端点的server_name)

We have used javax.net.debug for debugging purposes in the past but we cannot use it in this case as we need to restart the tomcat server for its effect to take place and when we restart the tomcat server, the calls to the endpoint server start to succeed. Also the javax.net.debug logs a lot of information which will flood our logs and hence we wanted it enabled only for a specific request. We are hoping to log only the Client Hello(which contains the server_name passed to the endpoint)

我已通读 https://docs.oracle. com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#OwnX509ETM 但是不能确定我们可以用来仅打印下推到服务器的SSL服务器名称指示符的方法.

I have read through https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#OwnX509ETM But not sure of what we can use to print only the SSL server name indicator pushed down to the server.

推荐答案

我和您一样担心，然后我首先考虑动态添加环境变量，但它始终具有旧的价值.然后，我发现javax.net.debug环境变量仅在SSLSocketFactory.java中的静态块中被读取一次.完整的源代码可用此处.

I had the same concern as yours, then firstly I was thinking about dynamically adding environment variable, but it's always taking old value. Then I found out that javax.net.debug enviroment variable is read once only with static block in SSLSocketFactory.java. The full source code is available here.

static {
     String s = java.security.AccessController.doPrivileged(
         new GetPropertyAction("javax.net.debug", "")).toLowerCase(Locale.ENGLISH);
     DEBUG = s.contains("all") || s.contains("ssl");
}

这篇关于如何按需启用javax.net.debug的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！