I need to log if a SSL handshake fails while a REST client tries to connect to my application. The application is build using Spring Boot and Java 8 and deployed on Tomcat 8.
In the scenario of SSL handshake failing, since the TLS connection is broken, the logging requirement might have to be done in the Tomcat layer or Java, since Tomcat is using underlying JVM for SSL certificate validation in my case.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" keystoreFile="keyStore-1.jks" keystorePass="password" keystoreType="jks" truststoreFile="TrustStore.jks" truststorePass="passwrd" truststoreType="jks" clientAuth="want" sslProtocol="TLSv1.2" /> I am aware of enabling the debug level logging.
-Djavax.net.debug=ssl
But this logs a lot of information and will slow down the process. And log the success SSL valdiations also. Is there a way to enable the failure cases alone with minimum logs either at Java or Tomcat level.
I am NOT looking this from a debugging perspective, as the SSL debug logs are very good for that. This requirement is more from a logging and auditing purpose and enabling the debug logs is not a feasible option.A mechanism that logs only the errors happening SSL and not all the hex/cert data.
1 Answers
Answers 1
Unfortunately, it is not possible likely. And it is not related to Tomcat. Logging of SSL it is not part of standard logging in your application. You could try reduce output with following option:
-Djava.net.debug=handshake Some others:
- record - Print a trace of each SSL record (at the SSL protocol level).
- handshake - Print each handshake message as it is received
- keygen - Print key generation data for the secret key exchange.
- session - Print SSL session activity.
- defaultctx - Print the default SSL initialization information.
- sslctx - Print information about the SSL context.
- sessioncache - Print information about the SSL session cache.
- keymanager - Print information about calls to the key manager.
- trustmanager - Print information about calls to the trust manager.
- data - For handshake tracing, print out a hex dump of each message.
- verbose - For handshake tracing, print out verbose information.
- plaintext - For record tracing, print out a hex dump of the record.
See docs.
If you really need this and performance is critical for your application, you could instrument SSLSocket (in docs you could read about handshake process) with ASM/Btrace /etc and check the state of handshake inside it. But in that case you wouldn't have debug information - only true/false.
See also Tomcat docs with all available settings. There you can read that there is JSSEImplementation class, which is used in Tomcat. And it is wrapper for JSSE.
0 comments:
Post a Comment