You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Amit Pande <Am...@veritas.com.INVALID> on 2023/08/03 15:53:24 UTC

Using dedicated SSL handshake failure logger

Hello all,

Facing an odd issue with logging the SSL handshake details:

I have this in my logging.properties:

handlers = 1catalina.org.apache.juli.AsyncFileHandler
.handlers = 1catalina.org.apache.juli.AsyncFileHandler

1catalina.org.apache.juli.AsyncFileHandler.level = FINE
1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.home}/logs
1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina.

org.apache.tomcat.util.net.NioEndpoint.handshake.level = FINE
org.apache.tomcat.util.net.NioEndpoint.certificate.level = FINE



With above configuration, I don't see the SSL handshake failures details in logs.
However, when I add the console handler like:


handlers = 1catalina.org.apache.juli.AsyncFileHandler,\
           java.util.logging.ConsoleHandler

.handlers = 1catalina.org.apache.juli.AsyncFileHandler, java.util.logging.ConsoleHandler

1catalina.org.apache.juli.AsyncFileHandler.level = FINE
1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.home}/logs
1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina.


java.util.logging.ConsoleHandler.level = FINE

org.apache.tomcat.util.net.NioEndpoint.handshake.level = FINE
org.apache.tomcat.util.net.NioEndpoint.certificate.level = FINE


I see the SSL handshake failure logs e.g.

FINE: Handshake failed for client connection from IP address [127.0.0.1] and port [37136]
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:364)
        at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:203)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:155)
        at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:597)
        at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:552)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:418)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:397)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626)
        at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:483)
        at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:215)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1766)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:750)



What am I missing in the logger configuration? Do we have to have the console handler configured?

Thanks,
Amit

RE: [External] Re: Using dedicated SSL handshake failure logger

Posted by Amit Pande <Am...@veritas.com.INVALID>.

Yes, I have verified that CATALINA_HOME is set correctly.

And just for testing purposes, I changed the prefix to something like:

1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina.amit.

And I do see a catalina.amit.2023-08-03.log file created under web server logs.

Thanks,
Amit

-----Original Message-----
From: Mark Thomas <ma...@apache.org> 
Sent: Thursday, August 3, 2023 2:14 PM
To: users@tomcat.apache.org
Subject: [External] Re: Using dedicated SSL handshake failure logger

On 03/08/2023 16:53, Amit Pande wrote:

> What am I missing in the logger configuration? Do we have to have the console handler configured?

Is CATALINA_HOME set correctly?

Do you see any log file at all in the expected location?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Using dedicated SSL handshake failure logger

Posted by Mark Thomas <ma...@apache.org>.

On 03/08/2023 16:53, Amit Pande wrote:

> What am I missing in the logger configuration? Do we have to have the console handler configured?

Is CATALINA_HOME set correctly?

Do you see any log file at all in the expected location?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org