From 16eb2b427ec5ae437cf3b26054cc3628c104bcb0 Mon Sep 17 00:00:00 2001 From: Marco Fargetta Date: Tue, 21 May 2024 17:27:06 +0200 Subject: [PATCH] Include certificate information in SSL session Certificates are included in the SSL session also in case of handshake failure. If certificate are not available there are no exception and or error reported beside the one creating the failure. Certificate information are needed in case of event audits. --- .../mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java b/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java index ee972d790..b117fa93c 100644 --- a/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java +++ b/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java @@ -1008,7 +1008,6 @@ private SSLException checkSSLAlerts() { private void updateHandshakeState() { debug("JSSEngine: updateHandshakeState()"); - // If we've previously seen an exception, we should just return // here; there's already an alert on the wire, so there's no point // in checking for new ones and/or stepping the handshake: it has @@ -1056,6 +1055,14 @@ private void updateHandshakeState() { if (SSL.ForceHandshake(ssl_fd) == SSL.SECFailure) { int error_value = PR.GetError(); + try { + PK11Cert[] peer_chain = SSL.PeerCertificateChain(ssl_fd); + session.setPeerCertificates(peer_chain); + } catch (Exception e) { + // If certificate is not available, then the handshake error is before + // peerCertificate was retrieved. The following message is enough to report + } + if (error_value != PRErrors.WOULD_BLOCK_ERROR) { debug("JSSEngine.updateHandshakeState() - FATAL " + getStatus());