Include certificate information in SSL session

Certificates are included in the SSL session also in case of handshake failure. If certificate are not available there are no exception and or error reported beside the one creating the failure. Certificate information are needed in case of event audits.
dogtagpki · May 21, 2024 · 2135e7a · 2135e7a
1 parent 945cb06
commit 2135e7a
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java b/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
@@ -1006,7 +1006,6 @@ private SSLException checkSSLAlerts() {
 
     private void updateHandshakeState() {
         debug("JSSEngine: updateHandshakeState()");
-
         // If we've previously seen an exception, we should just return
         // here; there's already an alert on the wire, so there's no point
         // in checking for new ones and/or stepping the handshake: it has
@@ -1054,6 +1053,14 @@ private void updateHandshakeState() {
         if (SSL.ForceHandshake(ssl_fd) == SSL.SECFailure) {
             int error_value = PR.GetError();
 
+            try {
+                PK11Cert[] peer_chain = SSL.PeerCertificateChain(ssl_fd);
+                session.setPeerCertificates(peer_chain);
+            } catch (Exception e) {
+                // If certificate is not available, then the handshake error is before
+                // peerCertificate was retrieved. The following message is enough to report
+            }
+
             if (error_value != PRErrors.WOULD_BLOCK_ERROR) {
                 debug("JSSEngine.updateHandshakeState() - FATAL " + getStatus());