You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Amit Pande <Am...@veritas.com.INVALID> on 2023/08/03 15:53:24 UTC
Using dedicated SSL handshake failure logger
Hello all,
Facing an odd issue with logging the SSL handshake details:
I have this in my logging.properties:
handlers = 1catalina.org.apache.juli.AsyncFileHandler
.handlers = 1catalina.org.apache.juli.AsyncFileHandler
1catalina.org.apache.juli.AsyncFileHandler.level = FINE
1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.home}/logs
1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina.
org.apache.tomcat.util.net.NioEndpoint.handshake.level = FINE
org.apache.tomcat.util.net.NioEndpoint.certificate.level = FINE
With above configuration, I don't see the SSL handshake failures details in logs.
However, when I add the console handler like:
handlers = 1catalina.org.apache.juli.AsyncFileHandler,\
java.util.logging.ConsoleHandler
.handlers = 1catalina.org.apache.juli.AsyncFileHandler, java.util.logging.ConsoleHandler
1catalina.org.apache.juli.AsyncFileHandler.level = FINE
1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.home}/logs
1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina.
java.util.logging.ConsoleHandler.level = FINE
org.apache.tomcat.util.net.NioEndpoint.handshake.level = FINE
org.apache.tomcat.util.net.NioEndpoint.certificate.level = FINE
I see the SSL handshake failure logs e.g.
FINE: Handshake failed for client connection from IP address [127.0.0.1] and port [37136]
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:364)
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:203)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:155)
at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:597)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:552)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:418)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:397)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:483)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:215)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1766)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:750)
What am I missing in the logger configuration? Do we have to have the console handler configured?
Thanks,
Amit
RE: [External] Re: Using dedicated SSL handshake failure logger
Posted by Amit Pande <Am...@veritas.com.INVALID>.
Yes, I have verified that CATALINA_HOME is set correctly.
And just for testing purposes, I changed the prefix to something like:
1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina.amit.
And I do see a catalina.amit.2023-08-03.log file created under web server logs.
Thanks,
Amit
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Thursday, August 3, 2023 2:14 PM
To: users@tomcat.apache.org
Subject: [External] Re: Using dedicated SSL handshake failure logger
On 03/08/2023 16:53, Amit Pande wrote:
> What am I missing in the logger configuration? Do we have to have the console handler configured?
Is CATALINA_HOME set correctly?
Do you see any log file at all in the expected location?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using dedicated SSL handshake failure logger
Posted by Mark Thomas <ma...@apache.org>.
On 03/08/2023 16:53, Amit Pande wrote:
> What am I missing in the logger configuration? Do we have to have the console handler configured?
Is CATALINA_HOME set correctly?
Do you see any log file at all in the expected location?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org