You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Ragavendhiran Bhiman (rabhiman)" <ra...@cisco.com.INVALID> on 2022/07/07 16:11:00 UTC
SSL handshake failure logs required for auditing purpose
Hi All,
I require your kind help in logging the SSl connection failure logs including iP in the tomcat, Is there any best way to do It without performance impact other than -Djava.net debugs in jdk, is there any direct way from tomcat? Or any way we can derive any class from JSSE extension classes and add HandShakeListener while using the connectors. All our SSL connections are going through connectors. So kindly need your help how to log those SSL connection auditing logs through best method.
Thanks a lot in advance.
Regards,
Raghav
RE: SSL handshake failure logs required for auditing purpose
Posted by jo...@wellsfargo.com.INVALID.
Tre's Bueno!
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Thursday, July 7, 2022 1:22 PM
> To: users@tomcat.apache.org
> Subject: Re: SSL handshake failure logs required for auditing purpose
>
> The next release (9.0.65) will have a dedicated logger for TLS handshake
> failures. You will be able to configure it like any other logger - including
> directing it to a dedicated file.
>
> Mark
>
>
> On 07/07/2022 17:11, Ragavendhiran Bhiman (rabhiman) wrote:
> > Hi All,
> >
> > I require your kind help in logging the SSl connection failure logs including iP
> in the tomcat, Is there any best way to do It without performance impact
> other than -Djava.net debugs in jdk, is there any direct way from tomcat? Or
> any way we can derive any class from JSSE extension classes and add
> HandShakeListener while using the connectors. All our SSL connections are
> going through connectors. So kindly need your help how to log those SSL
> connection auditing logs through best method.
> > Thanks a lot in advance.
> >
> > Regards,
> > Raghav
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL handshake failure logs required for auditing purpose
Posted by Mark Thomas <ma...@apache.org>.
The next release (9.0.65) will have a dedicated logger for TLS handshake
failures. You will be able to configure it like any other logger -
including directing it to a dedicated file.
Mark
On 07/07/2022 17:11, Ragavendhiran Bhiman (rabhiman) wrote:
> Hi All,
>
> I require your kind help in logging the SSl connection failure logs including iP in the tomcat, Is there any best way to do It without performance impact other than -Djava.net debugs in jdk, is there any direct way from tomcat? Or any way we can derive any class from JSSE extension classes and add HandShakeListener while using the connectors. All our SSL connections are going through connectors. So kindly need your help how to log those SSL connection auditing logs through best method.
> Thanks a lot in advance.
>
> Regards,
> Raghav
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: SSL handshake failure logs required for auditing purpose
Posted by "Ragavendhiran Bhiman (rabhiman)" <ra...@cisco.com.INVALID>.
Hi Mark,
Thanks for your great help.
Raghav
From: Mark Thomas <ma...@apache.org>
Date: Friday, 8 July 2022 at 4:44 PM
To: users@tomcat.apache.org <us...@tomcat.apache.org>
Subject: Re: AW: SSL handshake failure logs required for auditing purpose
On 08/07/2022 11:36, Ragavendhiran Bhiman (rabhiman) wrote:
>
>
> That’s great, and thank ful for your reply.
>
> Kindly look my below mail for my doubts,
>
> And need one more query can we have the same jar updated to 9.0.x lower versions?
No. The Apache Tomcat project does not produce patches for older
versions. You are required to update to 9.0.65 or later.
> If that particular jar is updated what is the jar?
>
> If jar is not possible what is the way we can get the solution to 9.0.x lower versions.
This is open source. You are free to try patching the code yourself.
Personally, I'd judge that higher overall risk than updating.
> Does via syslog this solution is possible?
Yes, with a custom handler. e.g.:
http://rusv.github.io/agafua-syslog/
(I've never used it, just found it via StackOverflow)
> Thanks & Regards,
>
> Raghav
>
> From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com>
> Date: Friday, 8 July 2022 at 7:33 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: AW: SSL handshake failure logs required for auditing purpose
> Thanks a lot for all your replies.
>
> This auditing is for common criteria certification. The OS we use is Red-hat Linux.
> As you know common criteria requires these handshake failures need to be redirected to a syslog server.
> Any attempt via the tcp-dump/wireshark is not acceptable by the certification.
> So it needs to be only the syslogs.
> I think from 9.0.65 it should be easy.
> For the existing versions yes the log needs to be in syslog until it rotates.
> If it gives cipher details that’s good, but importantly it should give the Ips.
>
> Once again thanks a lot for your overwhelming responses. If I will be able to close this today, it is pretty great.
>
> Also let me know in 9.0.65 is there any detailed attempt made to log about the ssl handshake including the ciphers etc.,?
You'll get the remote IP, remote port and whatever information is in the
exception.
https://github.com/apache/tomcat/blob/9.0.x/java/org/apache/tomcat/util/net/NioEndpoint.java#L1776
Mark
>
> Regards,
>
> Raghav
>
> From: Christopher Schultz <ch...@christopherschultz.net>
> Date: Friday, 8 July 2022 at 12:05 AM
> To: users@tomcat.apache.org <us...@tomcat.apache.org>
> Subject: Re: AW: SSL handshake failure logs required for auditing purpose
> Thomas,
>
> On 7/7/22 13:36, Thomas Hoffmann (Speed4Trade GmbH) wrote:
>>
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>>> <Th...@speed4trade.com.INVALID>
>>> Gesendet: Donnerstag, 7. Juli 2022 19:23
>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>> Betreff: AW: SSL handshake failure logs required for auditing purpose
>>>
>>> Hello Raghav,
>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
>>>> Gesendet: Donnerstag, 7. Juli 2022 18:13
>>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>>> Betreff: Re: SSL handshake failure logs required for auditing purpose
>>>>
>>>> Version of tomcat used 9.0.x.
>>>> Kindly help on the ssl logging for auditing purpose other than -D
>>>> javax.net option.
>>>>
>>>> From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
>>>> Date: Thursday, 7 July 2022 at 9:41 PM
>>>> To: users@tomcat.apache.org <us...@tomcat.apache.org>
>>>> Subject: SSL handshake failure logs required for auditing purpose Hi
>>>> All,
>>>>
>>>> I require your kind help in logging the SSl connection failure logs
>>>> including iP in the tomcat, Is there any best way to do It without
>>>> performance impact other than -Djava.net debugs in jdk, is there any
>>>> direct way from tomcat? Or any way we can derive any class from JSSE
>>>> extension classes and add HandShakeListener while using the
>>>> connectors. All our SSL connections are going through connectors. So
>>>> kindly need your help how to log those SSL connection auditing logs
>>> through best method.
>>>> Thanks a lot in advance.
>>>>
>>>> Regards,
>>>> Raghav
>>>
>>> Which OS are you using?
>>> Can you use Wireshark or TCPDump for your purposes?
>>> If you are using Chrome or FF as Client, you can set the environment variable
>>> SSLKEYLOGFILE to write the current key to a file which Wireshark can take to
>>> decrypt the traffic.
>>>
>>> The handshake itself is not encrypted. If the handshake is enough, TCPDump
>>> or Wireshark are sufficient.
>>>
>>> Greetings,
>>> Thomas
>>>
>>
>> Short Addendum:
>> 1) Do you want to write the log permanently or just for an audit session?
>> 2) Which details do you want to log? Agreed cipher? Offered ciphers by the client? SNI-header? ...?
>> 3) What is the purpose of the logging?
>> Insecure ciphers can be mitigated by server configuration.
>
> I think he wants to implement a poor-mans NIDS.
>
> Raghav, please be aware that any web browser that first attempts to use
> a SSLv3/TLSv1/TLSv1.3 handshake, fails, and retries with a
> TLSv1.2/similar handshake will cause massive numbers of false-positives
> in your logs.
>
> I would ask whoever is requesting this logging why they are looking at
> such failures. Handshake failures are not always indicative of some kind
> of intrusion attempt.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: SSL handshake failure logs required for auditing purpose
Posted by Mark Thomas <ma...@apache.org>.
On 08/07/2022 11:36, Ragavendhiran Bhiman (rabhiman) wrote:
>
>
> That’s great, and thank ful for your reply.
>
> Kindly look my below mail for my doubts,
>
> And need one more query can we have the same jar updated to 9.0.x lower versions?
No. The Apache Tomcat project does not produce patches for older
versions. You are required to update to 9.0.65 or later.
> If that particular jar is updated what is the jar?
>
> If jar is not possible what is the way we can get the solution to 9.0.x lower versions.
This is open source. You are free to try patching the code yourself.
Personally, I'd judge that higher overall risk than updating.
> Does via syslog this solution is possible?
Yes, with a custom handler. e.g.:
http://rusv.github.io/agafua-syslog/
(I've never used it, just found it via StackOverflow)
> Thanks & Regards,
>
> Raghav
>
> From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com>
> Date: Friday, 8 July 2022 at 7:33 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: AW: SSL handshake failure logs required for auditing purpose
> Thanks a lot for all your replies.
>
> This auditing is for common criteria certification. The OS we use is Red-hat Linux.
> As you know common criteria requires these handshake failures need to be redirected to a syslog server.
> Any attempt via the tcp-dump/wireshark is not acceptable by the certification.
> So it needs to be only the syslogs.
> I think from 9.0.65 it should be easy.
> For the existing versions yes the log needs to be in syslog until it rotates.
> If it gives cipher details that’s good, but importantly it should give the Ips.
>
> Once again thanks a lot for your overwhelming responses. If I will be able to close this today, it is pretty great.
>
> Also let me know in 9.0.65 is there any detailed attempt made to log about the ssl handshake including the ciphers etc.,?
You'll get the remote IP, remote port and whatever information is in the
exception.
https://github.com/apache/tomcat/blob/9.0.x/java/org/apache/tomcat/util/net/NioEndpoint.java#L1776
Mark
>
> Regards,
>
> Raghav
>
> From: Christopher Schultz <ch...@christopherschultz.net>
> Date: Friday, 8 July 2022 at 12:05 AM
> To: users@tomcat.apache.org <us...@tomcat.apache.org>
> Subject: Re: AW: SSL handshake failure logs required for auditing purpose
> Thomas,
>
> On 7/7/22 13:36, Thomas Hoffmann (Speed4Trade GmbH) wrote:
>>
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>>> <Th...@speed4trade.com.INVALID>
>>> Gesendet: Donnerstag, 7. Juli 2022 19:23
>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>> Betreff: AW: SSL handshake failure logs required for auditing purpose
>>>
>>> Hello Raghav,
>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
>>>> Gesendet: Donnerstag, 7. Juli 2022 18:13
>>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>>> Betreff: Re: SSL handshake failure logs required for auditing purpose
>>>>
>>>> Version of tomcat used 9.0.x.
>>>> Kindly help on the ssl logging for auditing purpose other than -D
>>>> javax.net option.
>>>>
>>>> From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
>>>> Date: Thursday, 7 July 2022 at 9:41 PM
>>>> To: users@tomcat.apache.org <us...@tomcat.apache.org>
>>>> Subject: SSL handshake failure logs required for auditing purpose Hi
>>>> All,
>>>>
>>>> I require your kind help in logging the SSl connection failure logs
>>>> including iP in the tomcat, Is there any best way to do It without
>>>> performance impact other than -Djava.net debugs in jdk, is there any
>>>> direct way from tomcat? Or any way we can derive any class from JSSE
>>>> extension classes and add HandShakeListener while using the
>>>> connectors. All our SSL connections are going through connectors. So
>>>> kindly need your help how to log those SSL connection auditing logs
>>> through best method.
>>>> Thanks a lot in advance.
>>>>
>>>> Regards,
>>>> Raghav
>>>
>>> Which OS are you using?
>>> Can you use Wireshark or TCPDump for your purposes?
>>> If you are using Chrome or FF as Client, you can set the environment variable
>>> SSLKEYLOGFILE to write the current key to a file which Wireshark can take to
>>> decrypt the traffic.
>>>
>>> The handshake itself is not encrypted. If the handshake is enough, TCPDump
>>> or Wireshark are sufficient.
>>>
>>> Greetings,
>>> Thomas
>>>
>>
>> Short Addendum:
>> 1) Do you want to write the log permanently or just for an audit session?
>> 2) Which details do you want to log? Agreed cipher? Offered ciphers by the client? SNI-header? ...?
>> 3) What is the purpose of the logging?
>> Insecure ciphers can be mitigated by server configuration.
>
> I think he wants to implement a poor-mans NIDS.
>
> Raghav, please be aware that any web browser that first attempts to use
> a SSLv3/TLSv1/TLSv1.3 handshake, fails, and retries with a
> TLSv1.2/similar handshake will cause massive numbers of false-positives
> in your logs.
>
> I would ask whoever is requesting this logging why they are looking at
> such failures. Handshake failures are not always indicative of some kind
> of intrusion attempt.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: SSL handshake failure logs required for auditing purpose
Posted by "Ragavendhiran Bhiman (rabhiman)" <ra...@cisco.com.INVALID>.
Hi Christopher and all,
Thanks for your great help.
Raghav
From: Christopher Schultz <ch...@christopherschultz.net>
Date: Friday, 8 July 2022 at 9:28 PM
To: users@tomcat.apache.org <us...@tomcat.apache.org>
Subject: Re: AW: SSL handshake failure logs required for auditing purpose
Raghav,
On 7/8/22 06:36, Ragavendhiran Bhiman (rabhiman) wrote:
> That’s great, and thank ful for your reply.
>
> Kindly look my below mail for my doubts,
>
> And need one more query can we have the same jar updated to 9.0.x lower versions?
>
> If that particular jar is updated what is the jar?
>
> If jar is not possible what is the way we can get the solution to 9.0.x lower versions.
>
>
> Does via syslog this solution is possible?
You can also get all of this using a network tap, sending it anywhere
you want. No need to modify any software or even trust that the software
is configured properly. Tomcat could be lying to you, and allowing
failed connections from apache.org to be silently ignored.
It just occurred to me that your request suggests that (your) Tomcat is
being used directly by clients on the public internet. This is obviously
a perfectly valid setup, but if I were running a publicly-accessible
web-based application (which I do for $work), I would put something
between the internet and my application to terminate TLS, perform
load-balancing, etc. for a number of reasons. Is there any reason not to
use another product that does *exactly* what you want, here?
FWIW, I'm not sure if AWS/Azure/Oracle, httpd, nginx, squid, haproxy,
etc. will report TLS handshake failures in a way that is acceptable to
you and your certification body, either. I was just wondering...
-chris
> From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com>
> Date: Friday, 8 July 2022 at 7:33 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: AW: SSL handshake failure logs required for auditing purpose
> Thanks a lot for all your replies.
>
> This auditing is for common criteria certification. The OS we use is Red-hat Linux.
> As you know common criteria requires these handshake failures need to be redirected to a syslog server.
> Any attempt via the tcp-dump/wireshark is not acceptable by the certification.
> So it needs to be only the syslogs.
> I think from 9.0.65 it should be easy.
> For the existing versions yes the log needs to be in syslog until it rotates.
> If it gives cipher details that’s good, but importantly it should give the Ips.
>
> Once again thanks a lot for your overwhelming responses. If I will be able to close this today, it is pretty great.
>
> Also let me know in 9.0.65 is there any detailed attempt made to log about the ssl handshake including the ciphers etc.,?
>
> Regards,
>
> Raghav
>
> From: Christopher Schultz <ch...@christopherschultz.net>
> Date: Friday, 8 July 2022 at 12:05 AM
> To: users@tomcat.apache.org <us...@tomcat.apache.org>
> Subject: Re: AW: SSL handshake failure logs required for auditing purpose
> Thomas,
>
> On 7/7/22 13:36, Thomas Hoffmann (Speed4Trade GmbH) wrote:
>>
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>>> <Th...@speed4trade.com.INVALID>
>>> Gesendet: Donnerstag, 7. Juli 2022 19:23
>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>> Betreff: AW: SSL handshake failure logs required for auditing purpose
>>>
>>> Hello Raghav,
>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
>>>> Gesendet: Donnerstag, 7. Juli 2022 18:13
>>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>>> Betreff: Re: SSL handshake failure logs required for auditing purpose
>>>>
>>>> Version of tomcat used 9.0.x.
>>>> Kindly help on the ssl logging for auditing purpose other than -D
>>>> javax.net option.
>>>>
>>>> From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
>>>> Date: Thursday, 7 July 2022 at 9:41 PM
>>>> To: users@tomcat.apache.org <us...@tomcat.apache.org>
>>>> Subject: SSL handshake failure logs required for auditing purpose Hi
>>>> All,
>>>>
>>>> I require your kind help in logging the SSl connection failure logs
>>>> including iP in the tomcat, Is there any best way to do It without
>>>> performance impact other than -Djava.net debugs in jdk, is there any
>>>> direct way from tomcat? Or any way we can derive any class from JSSE
>>>> extension classes and add HandShakeListener while using the
>>>> connectors. All our SSL connections are going through connectors. So
>>>> kindly need your help how to log those SSL connection auditing logs
>>> through best method.
>>>> Thanks a lot in advance.
>>>>
>>>> Regards,
>>>> Raghav
>>>
>>> Which OS are you using?
>>> Can you use Wireshark or TCPDump for your purposes?
>>> If you are using Chrome or FF as Client, you can set the environment variable
>>> SSLKEYLOGFILE to write the current key to a file which Wireshark can take to
>>> decrypt the traffic.
>>>
>>> The handshake itself is not encrypted. If the handshake is enough, TCPDump
>>> or Wireshark are sufficient.
>>>
>>> Greetings,
>>> Thomas
>>>
>>
>> Short Addendum:
>> 1) Do you want to write the log permanently or just for an audit session?
>> 2) Which details do you want to log? Agreed cipher? Offered ciphers by the client? SNI-header? ...?
>> 3) What is the purpose of the logging?
>> Insecure ciphers can be mitigated by server configuration.
>
> I think he wants to implement a poor-mans NIDS.
>
> Raghav, please be aware that any web browser that first attempts to use
> a SSLv3/TLSv1/TLSv1.3 handshake, fails, and retries with a
> TLSv1.2/similar handshake will cause massive numbers of false-positives
> in your logs.
>
> I would ask whoever is requesting this logging why they are looking at
> such failures. Handshake failures are not always indicative of some kind
> of intrusion attempt.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: SSL handshake failure logs required for auditing purpose
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Raghav,
On 7/8/22 06:36, Ragavendhiran Bhiman (rabhiman) wrote:
> That’s great, and thank ful for your reply.
>
> Kindly look my below mail for my doubts,
>
> And need one more query can we have the same jar updated to 9.0.x lower versions?
>
> If that particular jar is updated what is the jar?
>
> If jar is not possible what is the way we can get the solution to 9.0.x lower versions.
>
>
> Does via syslog this solution is possible?
You can also get all of this using a network tap, sending it anywhere
you want. No need to modify any software or even trust that the software
is configured properly. Tomcat could be lying to you, and allowing
failed connections from apache.org to be silently ignored.
It just occurred to me that your request suggests that (your) Tomcat is
being used directly by clients on the public internet. This is obviously
a perfectly valid setup, but if I were running a publicly-accessible
web-based application (which I do for $work), I would put something
between the internet and my application to terminate TLS, perform
load-balancing, etc. for a number of reasons. Is there any reason not to
use another product that does *exactly* what you want, here?
FWIW, I'm not sure if AWS/Azure/Oracle, httpd, nginx, squid, haproxy,
etc. will report TLS handshake failures in a way that is acceptable to
you and your certification body, either. I was just wondering...
-chris
> From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com>
> Date: Friday, 8 July 2022 at 7:33 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: AW: SSL handshake failure logs required for auditing purpose
> Thanks a lot for all your replies.
>
> This auditing is for common criteria certification. The OS we use is Red-hat Linux.
> As you know common criteria requires these handshake failures need to be redirected to a syslog server.
> Any attempt via the tcp-dump/wireshark is not acceptable by the certification.
> So it needs to be only the syslogs.
> I think from 9.0.65 it should be easy.
> For the existing versions yes the log needs to be in syslog until it rotates.
> If it gives cipher details that’s good, but importantly it should give the Ips.
>
> Once again thanks a lot for your overwhelming responses. If I will be able to close this today, it is pretty great.
>
> Also let me know in 9.0.65 is there any detailed attempt made to log about the ssl handshake including the ciphers etc.,?
>
> Regards,
>
> Raghav
>
> From: Christopher Schultz <ch...@christopherschultz.net>
> Date: Friday, 8 July 2022 at 12:05 AM
> To: users@tomcat.apache.org <us...@tomcat.apache.org>
> Subject: Re: AW: SSL handshake failure logs required for auditing purpose
> Thomas,
>
> On 7/7/22 13:36, Thomas Hoffmann (Speed4Trade GmbH) wrote:
>>
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>>> <Th...@speed4trade.com.INVALID>
>>> Gesendet: Donnerstag, 7. Juli 2022 19:23
>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>> Betreff: AW: SSL handshake failure logs required for auditing purpose
>>>
>>> Hello Raghav,
>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
>>>> Gesendet: Donnerstag, 7. Juli 2022 18:13
>>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>>> Betreff: Re: SSL handshake failure logs required for auditing purpose
>>>>
>>>> Version of tomcat used 9.0.x.
>>>> Kindly help on the ssl logging for auditing purpose other than -D
>>>> javax.net option.
>>>>
>>>> From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
>>>> Date: Thursday, 7 July 2022 at 9:41 PM
>>>> To: users@tomcat.apache.org <us...@tomcat.apache.org>
>>>> Subject: SSL handshake failure logs required for auditing purpose Hi
>>>> All,
>>>>
>>>> I require your kind help in logging the SSl connection failure logs
>>>> including iP in the tomcat, Is there any best way to do It without
>>>> performance impact other than -Djava.net debugs in jdk, is there any
>>>> direct way from tomcat? Or any way we can derive any class from JSSE
>>>> extension classes and add HandShakeListener while using the
>>>> connectors. All our SSL connections are going through connectors. So
>>>> kindly need your help how to log those SSL connection auditing logs
>>> through best method.
>>>> Thanks a lot in advance.
>>>>
>>>> Regards,
>>>> Raghav
>>>
>>> Which OS are you using?
>>> Can you use Wireshark or TCPDump for your purposes?
>>> If you are using Chrome or FF as Client, you can set the environment variable
>>> SSLKEYLOGFILE to write the current key to a file which Wireshark can take to
>>> decrypt the traffic.
>>>
>>> The handshake itself is not encrypted. If the handshake is enough, TCPDump
>>> or Wireshark are sufficient.
>>>
>>> Greetings,
>>> Thomas
>>>
>>
>> Short Addendum:
>> 1) Do you want to write the log permanently or just for an audit session?
>> 2) Which details do you want to log? Agreed cipher? Offered ciphers by the client? SNI-header? ...?
>> 3) What is the purpose of the logging?
>> Insecure ciphers can be mitigated by server configuration.
>
> I think he wants to implement a poor-mans NIDS.
>
> Raghav, please be aware that any web browser that first attempts to use
> a SSLv3/TLSv1/TLSv1.3 handshake, fails, and retries with a
> TLSv1.2/similar handshake will cause massive numbers of false-positives
> in your logs.
>
> I would ask whoever is requesting this logging why they are looking at
> such failures. Handshake failures are not always indicative of some kind
> of intrusion attempt.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: SSL handshake failure logs required for auditing purpose
Posted by "Ragavendhiran Bhiman (rabhiman)" <ra...@cisco.com.INVALID>.
That’s great, and thank ful for your reply.
Kindly look my below mail for my doubts,
And need one more query can we have the same jar updated to 9.0.x lower versions?
If that particular jar is updated what is the jar?
If jar is not possible what is the way we can get the solution to 9.0.x lower versions.
Does via syslog this solution is possible?
Thanks & Regards,
Raghav
From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com>
Date: Friday, 8 July 2022 at 7:33 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: AW: SSL handshake failure logs required for auditing purpose
Thanks a lot for all your replies.
This auditing is for common criteria certification. The OS we use is Red-hat Linux.
As you know common criteria requires these handshake failures need to be redirected to a syslog server.
Any attempt via the tcp-dump/wireshark is not acceptable by the certification.
So it needs to be only the syslogs.
I think from 9.0.65 it should be easy.
For the existing versions yes the log needs to be in syslog until it rotates.
If it gives cipher details that’s good, but importantly it should give the Ips.
Once again thanks a lot for your overwhelming responses. If I will be able to close this today, it is pretty great.
Also let me know in 9.0.65 is there any detailed attempt made to log about the ssl handshake including the ciphers etc.,?
Regards,
Raghav
From: Christopher Schultz <ch...@christopherschultz.net>
Date: Friday, 8 July 2022 at 12:05 AM
To: users@tomcat.apache.org <us...@tomcat.apache.org>
Subject: Re: AW: SSL handshake failure logs required for auditing purpose
Thomas,
On 7/7/22 13:36, Thomas Hoffmann (Speed4Trade GmbH) wrote:
>
>
>> -----Ursprüngliche Nachricht-----
>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>> <Th...@speed4trade.com.INVALID>
>> Gesendet: Donnerstag, 7. Juli 2022 19:23
>> An: Tomcat Users List <us...@tomcat.apache.org>
>> Betreff: AW: SSL handshake failure logs required for auditing purpose
>>
>> Hello Raghav,
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
>>> Gesendet: Donnerstag, 7. Juli 2022 18:13
>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>> Betreff: Re: SSL handshake failure logs required for auditing purpose
>>>
>>> Version of tomcat used 9.0.x.
>>> Kindly help on the ssl logging for auditing purpose other than -D
>>> javax.net option.
>>>
>>> From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
>>> Date: Thursday, 7 July 2022 at 9:41 PM
>>> To: users@tomcat.apache.org <us...@tomcat.apache.org>
>>> Subject: SSL handshake failure logs required for auditing purpose Hi
>>> All,
>>>
>>> I require your kind help in logging the SSl connection failure logs
>>> including iP in the tomcat, Is there any best way to do It without
>>> performance impact other than -Djava.net debugs in jdk, is there any
>>> direct way from tomcat? Or any way we can derive any class from JSSE
>>> extension classes and add HandShakeListener while using the
>>> connectors. All our SSL connections are going through connectors. So
>>> kindly need your help how to log those SSL connection auditing logs
>> through best method.
>>> Thanks a lot in advance.
>>>
>>> Regards,
>>> Raghav
>>
>> Which OS are you using?
>> Can you use Wireshark or TCPDump for your purposes?
>> If you are using Chrome or FF as Client, you can set the environment variable
>> SSLKEYLOGFILE to write the current key to a file which Wireshark can take to
>> decrypt the traffic.
>>
>> The handshake itself is not encrypted. If the handshake is enough, TCPDump
>> or Wireshark are sufficient.
>>
>> Greetings,
>> Thomas
>>
>
> Short Addendum:
> 1) Do you want to write the log permanently or just for an audit session?
> 2) Which details do you want to log? Agreed cipher? Offered ciphers by the client? SNI-header? ...?
> 3) What is the purpose of the logging?
> Insecure ciphers can be mitigated by server configuration.
I think he wants to implement a poor-mans NIDS.
Raghav, please be aware that any web browser that first attempts to use
a SSLv3/TLSv1/TLSv1.3 handshake, fails, and retries with a
TLSv1.2/similar handshake will cause massive numbers of false-positives
in your logs.
I would ask whoever is requesting this logging why they are looking at
such failures. Handshake failures are not always indicative of some kind
of intrusion attempt.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: SSL handshake failure logs required for auditing purpose
Posted by "Ragavendhiran Bhiman (rabhiman)" <ra...@cisco.com.INVALID>.
Thanks a lot for all your replies.
This auditing is for common criteria certification. The OS we use is Red-hat Linux.
As you know common criteria requires these handshake failures need to be redirected to a syslog server.
Any attempt via the tcp-dump/wireshark is not acceptable by the certification.
So it needs to be only the syslogs.
I think from 9.0.65 it should be easy.
For the existing versions yes the log needs to be in syslog until it rotates.
If it gives cipher details that’s good, but importantly it should give the Ips.
Once again thanks a lot for your overwhelming responses. If I will be able to close this today, it is pretty great.
Also let me know in 9.0.65 is there any detailed attempt made to log about the ssl handshake including the ciphers etc.,?
Regards,
Raghav
From: Christopher Schultz <ch...@christopherschultz.net>
Date: Friday, 8 July 2022 at 12:05 AM
To: users@tomcat.apache.org <us...@tomcat.apache.org>
Subject: Re: AW: SSL handshake failure logs required for auditing purpose
Thomas,
On 7/7/22 13:36, Thomas Hoffmann (Speed4Trade GmbH) wrote:
>
>
>> -----Ursprüngliche Nachricht-----
>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>> <Th...@speed4trade.com.INVALID>
>> Gesendet: Donnerstag, 7. Juli 2022 19:23
>> An: Tomcat Users List <us...@tomcat.apache.org>
>> Betreff: AW: SSL handshake failure logs required for auditing purpose
>>
>> Hello Raghav,
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
>>> Gesendet: Donnerstag, 7. Juli 2022 18:13
>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>> Betreff: Re: SSL handshake failure logs required for auditing purpose
>>>
>>> Version of tomcat used 9.0.x.
>>> Kindly help on the ssl logging for auditing purpose other than -D
>>> javax.net option.
>>>
>>> From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
>>> Date: Thursday, 7 July 2022 at 9:41 PM
>>> To: users@tomcat.apache.org <us...@tomcat.apache.org>
>>> Subject: SSL handshake failure logs required for auditing purpose Hi
>>> All,
>>>
>>> I require your kind help in logging the SSl connection failure logs
>>> including iP in the tomcat, Is there any best way to do It without
>>> performance impact other than -Djava.net debugs in jdk, is there any
>>> direct way from tomcat? Or any way we can derive any class from JSSE
>>> extension classes and add HandShakeListener while using the
>>> connectors. All our SSL connections are going through connectors. So
>>> kindly need your help how to log those SSL connection auditing logs
>> through best method.
>>> Thanks a lot in advance.
>>>
>>> Regards,
>>> Raghav
>>
>> Which OS are you using?
>> Can you use Wireshark or TCPDump for your purposes?
>> If you are using Chrome or FF as Client, you can set the environment variable
>> SSLKEYLOGFILE to write the current key to a file which Wireshark can take to
>> decrypt the traffic.
>>
>> The handshake itself is not encrypted. If the handshake is enough, TCPDump
>> or Wireshark are sufficient.
>>
>> Greetings,
>> Thomas
>>
>
> Short Addendum:
> 1) Do you want to write the log permanently or just for an audit session?
> 2) Which details do you want to log? Agreed cipher? Offered ciphers by the client? SNI-header? ...?
> 3) What is the purpose of the logging?
> Insecure ciphers can be mitigated by server configuration.
I think he wants to implement a poor-mans NIDS.
Raghav, please be aware that any web browser that first attempts to use
a SSLv3/TLSv1/TLSv1.3 handshake, fails, and retries with a
TLSv1.2/similar handshake will cause massive numbers of false-positives
in your logs.
I would ask whoever is requesting this logging why they are looking at
such failures. Handshake failures are not always indicative of some kind
of intrusion attempt.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: SSL handshake failure logs required for auditing purpose
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Thomas,
On 7/7/22 13:36, Thomas Hoffmann (Speed4Trade GmbH) wrote:
>
>
>> -----Ursprüngliche Nachricht-----
>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>> <Th...@speed4trade.com.INVALID>
>> Gesendet: Donnerstag, 7. Juli 2022 19:23
>> An: Tomcat Users List <us...@tomcat.apache.org>
>> Betreff: AW: SSL handshake failure logs required for auditing purpose
>>
>> Hello Raghav,
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
>>> Gesendet: Donnerstag, 7. Juli 2022 18:13
>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>> Betreff: Re: SSL handshake failure logs required for auditing purpose
>>>
>>> Version of tomcat used 9.0.x.
>>> Kindly help on the ssl logging for auditing purpose other than -D
>>> javax.net option.
>>>
>>> From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
>>> Date: Thursday, 7 July 2022 at 9:41 PM
>>> To: users@tomcat.apache.org <us...@tomcat.apache.org>
>>> Subject: SSL handshake failure logs required for auditing purpose Hi
>>> All,
>>>
>>> I require your kind help in logging the SSl connection failure logs
>>> including iP in the tomcat, Is there any best way to do It without
>>> performance impact other than -Djava.net debugs in jdk, is there any
>>> direct way from tomcat? Or any way we can derive any class from JSSE
>>> extension classes and add HandShakeListener while using the
>>> connectors. All our SSL connections are going through connectors. So
>>> kindly need your help how to log those SSL connection auditing logs
>> through best method.
>>> Thanks a lot in advance.
>>>
>>> Regards,
>>> Raghav
>>
>> Which OS are you using?
>> Can you use Wireshark or TCPDump for your purposes?
>> If you are using Chrome or FF as Client, you can set the environment variable
>> SSLKEYLOGFILE to write the current key to a file which Wireshark can take to
>> decrypt the traffic.
>>
>> The handshake itself is not encrypted. If the handshake is enough, TCPDump
>> or Wireshark are sufficient.
>>
>> Greetings,
>> Thomas
>>
>
> Short Addendum:
> 1) Do you want to write the log permanently or just for an audit session?
> 2) Which details do you want to log? Agreed cipher? Offered ciphers by the client? SNI-header? ...?
> 3) What is the purpose of the logging?
> Insecure ciphers can be mitigated by server configuration.
I think he wants to implement a poor-mans NIDS.
Raghav, please be aware that any web browser that first attempts to use
a SSLv3/TLSv1/TLSv1.3 handshake, fails, and retries with a
TLSv1.2/similar handshake will cause massive numbers of false-positives
in your logs.
I would ask whoever is requesting this logging why they are looking at
such failures. Handshake failures are not always indicative of some kind
of intrusion attempt.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: SSL handshake failure logs required for auditing purpose
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
> -----Ursprüngliche Nachricht-----
> Von: Thomas Hoffmann (Speed4Trade GmbH)
> <Th...@speed4trade.com.INVALID>
> Gesendet: Donnerstag, 7. Juli 2022 19:23
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: AW: SSL handshake failure logs required for auditing purpose
>
> Hello Raghav,
>
> > -----Ursprüngliche Nachricht-----
> > Von: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
> > Gesendet: Donnerstag, 7. Juli 2022 18:13
> > An: Tomcat Users List <us...@tomcat.apache.org>
> > Betreff: Re: SSL handshake failure logs required for auditing purpose
> >
> > Version of tomcat used 9.0.x.
> > Kindly help on the ssl logging for auditing purpose other than -D
> > javax.net option.
> >
> > From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
> > Date: Thursday, 7 July 2022 at 9:41 PM
> > To: users@tomcat.apache.org <us...@tomcat.apache.org>
> > Subject: SSL handshake failure logs required for auditing purpose Hi
> > All,
> >
> > I require your kind help in logging the SSl connection failure logs
> > including iP in the tomcat, Is there any best way to do It without
> > performance impact other than -Djava.net debugs in jdk, is there any
> > direct way from tomcat? Or any way we can derive any class from JSSE
> > extension classes and add HandShakeListener while using the
> > connectors. All our SSL connections are going through connectors. So
> > kindly need your help how to log those SSL connection auditing logs
> through best method.
> > Thanks a lot in advance.
> >
> > Regards,
> > Raghav
>
> Which OS are you using?
> Can you use Wireshark or TCPDump for your purposes?
> If you are using Chrome or FF as Client, you can set the environment variable
> SSLKEYLOGFILE to write the current key to a file which Wireshark can take to
> decrypt the traffic.
>
> The handshake itself is not encrypted. If the handshake is enough, TCPDump
> or Wireshark are sufficient.
>
> Greetings,
> Thomas
>
Short Addendum:
1) Do you want to write the log permanently or just for an audit session?
2) Which details do you want to log? Agreed cipher? Offered ciphers by the client? SNI-header? ...?
3) What is the purpose of the logging?
Insecure ciphers can be mitigated by server configuration.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: SSL handshake failure logs required for auditing purpose
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello Raghav,
> -----Ursprüngliche Nachricht-----
> Von: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
> Gesendet: Donnerstag, 7. Juli 2022 18:13
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: Re: SSL handshake failure logs required for auditing purpose
>
> Version of tomcat used 9.0.x.
> Kindly help on the ssl logging for auditing purpose other than -D javax.net
> option.
>
> From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
> Date: Thursday, 7 July 2022 at 9:41 PM
> To: users@tomcat.apache.org <us...@tomcat.apache.org>
> Subject: SSL handshake failure logs required for auditing purpose Hi All,
>
> I require your kind help in logging the SSl connection failure logs including iP
> in the tomcat, Is there any best way to do It without performance impact
> other than -Djava.net debugs in jdk, is there any direct way from tomcat? Or
> any way we can derive any class from JSSE extension classes and add
> HandShakeListener while using the connectors. All our SSL connections are
> going through connectors. So kindly need your help how to log those SSL
> connection auditing logs through best method.
> Thanks a lot in advance.
>
> Regards,
> Raghav
Which OS are you using?
Can you use Wireshark or TCPDump for your purposes?
If you are using Chrome or FF as Client, you can set the environment variable SSLKEYLOGFILE
to write the current key to a file which Wireshark can take to decrypt the traffic.
The handshake itself is not encrypted. If the handshake is enough, TCPDump or Wireshark are sufficient.
Greetings,
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL handshake failure logs required for auditing purpose
Posted by "Ragavendhiran Bhiman (rabhiman)" <ra...@cisco.com.INVALID>.
Version of tomcat used 9.0.x.
Kindly help on the ssl logging for auditing purpose other than -D javax.net option.
From: Ragavendhiran Bhiman (rabhiman) <ra...@cisco.com.INVALID>
Date: Thursday, 7 July 2022 at 9:41 PM
To: users@tomcat.apache.org <us...@tomcat.apache.org>
Subject: SSL handshake failure logs required for auditing purpose
Hi All,
I require your kind help in logging the SSl connection failure logs including iP in the tomcat, Is there any best way to do It without performance impact other than -Djava.net debugs in jdk, is there any direct way from tomcat? Or any way we can derive any class from JSSE extension classes and add HandShakeListener while using the connectors. All our SSL connections are going through connectors. So kindly need your help how to log those SSL connection auditing logs through best method.
Thanks a lot in advance.
Regards,
Raghav