List complete exception chain for ssl handshake failure in connection log

3 files changed, 61 insertions, 42 deletions

diff --git a/jdisc_http_service/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java b/jdisc_http_service/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java
index a6b800a9279..6afe3b74329 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java
@@ -3,6 +3,7 @@
 package com.yahoo.container.logging;
 
 import java.time.Instant;
+import java.util.List;
 import java.util.Optional;
 import java.util.UUID;
 
@@ -31,9 +32,7 @@ public class ConnectionLogEntry {
     private final Instant sslPeerNotBefore;
     private final Instant sslPeerNotAfter;
     private final String sslSniServerName;
-    private final String sslHandshakeFailureException;
-    private final String sslHandshakeFailureMessage;
-    private final String sslHandshakeFailureType;
+    private final SslHandshakeFailure sslHandshakeFailure;
 
 
     private ConnectionLogEntry(Builder builder) {
@@ -57,9 +56,7 @@ public class ConnectionLogEntry {
         this.sslPeerNotBefore = builder.sslPeerNotBefore;
         this.sslPeerNotAfter = builder.sslPeerNotAfter;
         this.sslSniServerName = builder.sslSniServerName;
-        this.sslHandshakeFailureException = builder.sslHandshakeFailureException;
-        this.sslHandshakeFailureMessage = builder.sslHandshakeFailureMessage;
-        this.sslHandshakeFailureType = builder.sslHandshakeFailureType;
+        this.sslHandshakeFailure = builder.sslHandshakeFailure;
     }
 
     public static Builder builder(UUID id, Instant timestamp) {
@@ -86,9 +83,33 @@ public class ConnectionLogEntry {
     public Optional<Instant> sslPeerNotBefore() { return Optional.ofNullable(sslPeerNotBefore); }
     public Optional<Instant> sslPeerNotAfter() { return Optional.ofNullable(sslPeerNotAfter); }
     public Optional<String> sslSniServerName() { return Optional.ofNullable(sslSniServerName); }
-    public Optional<String> sslHandshakeFailureException() { return Optional.ofNullable(sslHandshakeFailureException); }
-    public Optional<String> sslHandshakeFailureMessage() { return Optional.ofNullable(sslHandshakeFailureMessage); }
-    public Optional<String> sslHandshakeFailureType() { return Optional.ofNullable(sslHandshakeFailureType); }
+    public Optional<SslHandshakeFailure> sslHandshakeFailure() { return Optional.ofNullable(sslHandshakeFailure); }
+
+    public static class SslHandshakeFailure {
+        private final String type;
+        private final List<ExceptionEntry> exceptionChain;
+
+        public SslHandshakeFailure(String type, List<ExceptionEntry> exceptionChain) {
+            this.type = type;
+            this.exceptionChain = List.copyOf(exceptionChain);
+        }
+
+        public String type() { return type; }
+        public List<ExceptionEntry> exceptionChain() { return exceptionChain; }
+
+        public static class ExceptionEntry {
+            private final String name;
+            private final String message;
+
+            public ExceptionEntry(String name, String message) {
+                this.name = name;
+                this.message = message;
+            }
+
+            public String name() { return name; }
+            public String message() { return message; }
+        }
+    }
 
     public static class Builder {
         private final UUID id;
@@ -111,9 +132,7 @@ public class ConnectionLogEntry {
         private Instant sslPeerNotBefore;
         private Instant sslPeerNotAfter;
         private String sslSniServerName;
-        private String sslHandshakeFailureException;
-        private String sslHandshakeFailureMessage;
-        private String sslHandshakeFailureType;
+        private SslHandshakeFailure sslHandshakeFailure;
 
 
         Builder(UUID id, Instant timestamp) {
@@ -194,16 +213,8 @@ public class ConnectionLogEntry {
             this.sslSniServerName = sslSniServerName;
             return this;
         }
-        public Builder withSslHandshakeFailureException(String exception) {
-            this.sslHandshakeFailureException = exception;
-            return this;
-        }
-        public Builder withSslHandshakeFailureMessage(String message) {
-            this.sslHandshakeFailureMessage = message;
-            return this;
-        }
-        public Builder withSslHandshakeFailureType(String type) {
-            this.sslHandshakeFailureType = type;
+        public Builder withSslHandshakeFailure(SslHandshakeFailure sslHandshakeFailure) {
+            this.sslHandshakeFailure = sslHandshakeFailure;
             return this;
         }
 
diff --git a/jdisc_http_service/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java b/jdisc_http_service/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java
index 394f87c07cc..158d2ec4ea6 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java
@@ -5,6 +5,7 @@ import com.fasterxml.jackson.core.JsonEncoding;
 import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.core.JsonGenerator;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.yahoo.container.logging.ConnectionLogEntry.SslHandshakeFailure.ExceptionEntry;
 
 import java.io.IOException;
 import java.io.OutputStream;
@@ -46,13 +47,11 @@ class JsonConnectionLogWriter implements LogWriter<ConnectionLogEntry> {
             Instant sslPeerNotBefore = unwrap(record.sslPeerNotBefore());
             Instant sslPeerNotAfter = unwrap(record.sslPeerNotAfter());
             String sslSniServerName = unwrap(record.sslSniServerName());
-            String sslHandshakeFailureException = unwrap(record.sslHandshakeFailureException());
-            String sslHandshakeFailureMessage = unwrap(record.sslHandshakeFailureMessage());
-            String sslHandshakeFailureType = unwrap(record.sslHandshakeFailureType());
+            ConnectionLogEntry.SslHandshakeFailure sslHandshakeFailure = unwrap(record.sslHandshakeFailure());
 
             if (isAnyValuePresent(
                     sslProtocol, sslSessionId, sslCipherSuite, sslPeerSubject, sslPeerNotBefore, sslPeerNotAfter,
-                    sslSniServerName, sslHandshakeFailureException, sslHandshakeFailureMessage, sslHandshakeFailureType)) {
+                    sslSniServerName, sslHandshakeFailure)) {
                 generator.writeObjectFieldStart("ssl");
 
                 writeOptionalString(generator, "protocol", sslProtocol);
@@ -63,11 +62,17 @@ class JsonConnectionLogWriter implements LogWriter<ConnectionLogEntry> {
                 writeOptionalTimestamp(generator, "peerNotAfter", sslPeerNotAfter);
                 writeOptionalString(generator, "sniServerName", sslSniServerName);
 
-                if (isAnyValuePresent(sslHandshakeFailureException, sslHandshakeFailureMessage, sslHandshakeFailureType)) {
+                if (sslHandshakeFailure != null) {
                     generator.writeObjectFieldStart("handshake-failure");
-                    writeOptionalString(generator, "exception", sslHandshakeFailureException);
-                    writeOptionalString(generator, "message", sslHandshakeFailureMessage);
-                    writeOptionalString(generator, "type", sslHandshakeFailureType);
+                    generator.writeArrayFieldStart("exception");
+                    for (ExceptionEntry entry : sslHandshakeFailure.exceptionChain()) {
+                        generator.writeStartObject();
+                        generator.writeStringField("cause", entry.name());
+                        generator.writeStringField("message", entry.message());
+                        generator.writeEndObject();
+                    }
+                    generator.writeEndArray();
+                    generator.writeStringField("type", sslHandshakeFailure.type());
                     generator.writeEndObject();
                 }
 
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java
index cb3a5d046d8..34a91a3bbb4 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java
@@ -3,6 +3,7 @@ package com.yahoo.jdisc.http.server.jetty;
 
 import com.yahoo.container.logging.ConnectionLog;
 import com.yahoo.container.logging.ConnectionLogEntry;
+import com.yahoo.container.logging.ConnectionLogEntry.SslHandshakeFailure.ExceptionEntry;
 import com.yahoo.io.HexDump;
 import com.yahoo.jdisc.http.ServerConfig;
 import org.eclipse.jetty.io.Connection;
@@ -27,6 +28,7 @@ import javax.net.ssl.StandardConstants;
 import java.net.InetSocketAddress;
 import java.security.cert.X509Certificate;
 import java.time.Instant;
+import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
 import java.util.Objects;
@@ -222,9 +224,7 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List
         private Date sslPeerNotBefore;
         private Date sslPeerNotAfter;
         private List<SNIServerName> sslSniServerNames;
-        private String sslHandshakeFailureException;
-        private String sslHandshakeFailureMessage;
-        private String sslHandshakeFailureType;
+        private SSLHandshakeException sslHandshakeException;
 
         private ConnectionInfo(UUID uuid, long createdAt, InetSocketAddress localAddress, InetSocketAddress peerAddress) {
             this.uuid = uuid;
@@ -284,11 +284,7 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List
         }
 
         synchronized ConnectionInfo setSslHandshakeFailure(SSLHandshakeException exception) {
-            this.sslHandshakeFailureException = exception.getClass().getName();
-            this.sslHandshakeFailureMessage = exception.getMessage();
-            this.sslHandshakeFailureType = SslHandshakeFailure.fromSslHandshakeException(exception)
-                    .map(SslHandshakeFailure::failureType)
-                    .orElse("UNKNOWN");
+            this.sslHandshakeException = exception;
             return this;
         }
 
@@ -338,10 +334,17 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List
                         .withSslPeerNotAfter(sslPeerNotAfter.toInstant())
                         .withSslPeerNotBefore(sslPeerNotBefore.toInstant());
             }
-            if (sslHandshakeFailureException != null && sslHandshakeFailureMessage != null && sslHandshakeFailureType != null) {
-                builder.withSslHandshakeFailureException(sslHandshakeFailureException)
-                        .withSslHandshakeFailureMessage(sslHandshakeFailureMessage)
-                        .withSslHandshakeFailureType(sslHandshakeFailureType);
+            if (sslHandshakeException != null) {
+                List<ExceptionEntry> exceptionChain = new ArrayList<>();
+                Throwable cause = sslHandshakeException;
+                while (cause != null) {
+                    exceptionChain.add(new ExceptionEntry(cause.getClass().getName(), cause.getMessage()));
+                    cause = cause.getCause();
+                }
+                String type = SslHandshakeFailure.fromSslHandshakeException(sslHandshakeException)
+                        .map(SslHandshakeFailure::failureType)
+                        .orElse("UNKNOWN");
+                builder.withSslHandshakeFailure(new ConnectionLogEntry.SslHandshakeFailure(type, exceptionChain));
             }
             return builder.build();
         }