From 2135e7a9ff2839a4cb7ef76e4dfc4c2289828160 Mon Sep 17 00:00:00 2001 From: Marco Fargetta Date: Tue, 21 May 2024 17:27:06 +0200 Subject: [PATCH] Include certificate information in SSL session Certificates are included in the SSL session also in case of handshake failure. If certificate are not available there are no exception and or error reported beside the one creating the failure. Certificate information are needed in case of event audits. --- .../mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java b/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java index d6056267b..e0bd4ea50 100644 --- a/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java +++ b/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java @@ -1006,7 +1006,6 @@ private SSLException checkSSLAlerts() { private void updateHandshakeState() { debug("JSSEngine: updateHandshakeState()"); - // If we've previously seen an exception, we should just return // here; there's already an alert on the wire, so there's no point // in checking for new ones and/or stepping the handshake: it has @@ -1054,6 +1053,14 @@ private void updateHandshakeState() { if (SSL.ForceHandshake(ssl_fd) == SSL.SECFailure) { int error_value = PR.GetError(); + try { + PK11Cert[] peer_chain = SSL.PeerCertificateChain(ssl_fd); + session.setPeerCertificates(peer_chain); + } catch (Exception e) { + // If certificate is not available, then the handshake error is before + // peerCertificate was retrieved. The following message is enough to report + } + if (error_value != PRErrors.WOULD_BLOCK_ERROR) { debug("JSSEngine.updateHandshakeState() - FATAL " + getStatus());