Geek Answers Handbook

Enable SSL authorization failure logging (audit audit logs) only on Tomcat 8+ with Java

I need to log in if SSL handshaking fails while the REST client is trying to connect to my application. The application is built using Spring Boot and Java 8 and deployed to Tomcat 8.

In the SSL communication failure scenario, since the TLS connection does not work, the registration requirement must be fulfilled at the Tomcat or Java level, because Tomcat uses the basic JVM certificate to verify the SSL certificate in my case.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" keystoreFile="keyStore-1.jks" keystorePass="password" keystoreType="jks" truststoreFile="TrustStore.jks" truststorePass="passwrd" truststoreType="jks" clientAuth="want" sslProtocol="TLSv1.2" />

I know to enable debug level logging.

-Djavax.net.debug = SSL

But this logs a lot of information and slows down the process. And register the success of SSL valdiations. Is there a way to include failure cases alone with minimal logs at the Java or Tomcat level.

I DO NOT look at this from a debugging perspective, as SSL debug logs are very good for this. This requirement is more related to the goals of logging and auditing, and the inclusion of debug logs is not possible. A mechanism that only logs errors originating from SSL, and not all hex / cert data.

+7
java security ssl tomcat
source share
1 answer

Unfortunately this is not possible. And this is not related to Tomcat. SSL registration is not part of the standard registration in your application. You can try decreasing the output with the following option:

 -Djava.net.debug=handshake

Some others:

  • record - print trace of each SSL record (at the SSL protocol level).
  • handshake - print each confirmation message when it is received.
  • keygen - key generation data for exchanging private keys.
  • session - print SSL session activity.
  • defaultctx - Print default SSL initialization information.
  • sslctx - Print SSL context information.
  • sessioncache - Print SSL session cache information.
  • keymanager - print call information in the key manager.
  • trustmanager - print call information in the trust manager.
  • - To track the handshake, print a hex dump of each message.
  • verbose - print out details to track your handshake.
  • plaintext - print a hex dump of the record to track records.

See docs .

If you really need it, and performance is important for your application, you can use the SSLSocket tool (in the documents you can read about the handshake process) with ASM / Btrace / etc and check the status of the handshake inside it. But in this case, you will not have debugging information - only true / false.

See also Tomcat Docs with all available settings. There you can read that there is a JSSEImplementation class that is used in Tomcat. And this is the shell for JSSE.

+1
source share

More articles:


All Articles