You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Daniel Morrison <de...@Hi-Tech-Solutions.com> on 2017/04/07 19:28:46 UTC
Tomcat 8.5.11 -Djava.net.debug=ssl not logging
Problem...
Tomcat 8.5 -Djava.net.debug=ssl not logging
Porting a REST interface from Glassfish 4 to Tomcat 8.5, works fine.
Glassfish -Djava.net.debug=ssl logs Cipher Suites to server.log.
Tomcat 8.5 the java debug setting doesn't produce any SSL output in the
logs.
Why needed...
Older Glassfish server SSL supports some weak ciphers.
When clients cutover to Tomcat server, many failed to support strict
ciphers.
We need to log failed client ciphers to support clients transition.
Comment...
Running Tomcat on production servers with correct SSL certs, no issues.
Docs say -Djava.net.debug=all/ssl(etc) flag should work.
ps -ef (below) see debug setting passed to java and looks correct.
I think I'm missing something in the logging.properties to get the debug
output captured and passed to log - but I can't figure out what is missing?
Is there a specific handler for the java debug output?
Versions...
Tomcat 8.5.11 (recently updated from 8.0.23)
uname -r... 3.10.0-514.10.2.el7.x86_64 (Centos 7)
getenforce -> Permissive
java -version... java version "1.8.0_121" (Oracle flavor)
Original Connector...
<Connector executor="tomcatThreadPool"
address="M.Y.I.P" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" scheme="https" secure="true"
keystoreFile="./conf/keystore.jks" keystorePass="MYPASS"
keyAlias="MYALIAS"
clientAuth="false"
compression="on" compressionMinSize="2048"
compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
useServerCipherSuitesOrder="true" (etc)
Tried...
1. put in setenv.sh... (shows after logging properties)
JAVA_OPTS="$JAVA_OPTS -Djava.net.debug=ssl"; export JAVA_OPTS
# ps -ef|grep java
/usr/bin/java
-Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Duser.timezone=US/Eastern -Xms128m -Xmx1024m -server
-Doracle.jdbc.autoCommitSpecCompliant=false -Djava.net.debug=ssl
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources -classpath
/opt/apache-tomcat-8.5.11/bin/bootstrap.jar:/opt/apache-tomcat-8.5.11/bin/tomcat-juli.jar
-Dcatalina.base=/opt/apache-tomcat-8.5.11
-Dcatalina.home=/opt/apache-tomcat-8.5.11
-Djava.io.tmpdir=/opt/apache-tomcat-8.5.11/temp
org.apache.catalina.startup.Bootstrap start
2. put in start script... (shows before logging properties)
LOGGING_CONFIG="-Djava.net.debug=ssl
-Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties"
# ps -ef|grep java
/usr/bin/java -Djava.net.debug=ssl
-Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.properties
-Djava.util.logging.manager=(etc...)
3. -Djava.net.debug=ssl both before AND after logging.config
4. server.xml... (tried with and without)
<Valve className="org.apache.catalina.valves.SSLValve" />
5. logging.properties - uncommented all properties, set to ALL (default
file)
6. -Djava.net.debug=all - no difference
7. logging.properties - org.apache.catalina.session.level=ALL
8. reworked all Connectors to 9.0 specs...
<Connector address="M.Y.I.P" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
maxThreads="150" SSLEnabled="true"
defaultSSLHostConfigName="MYHOSTNAME" >
<SSLHostConfig hostName="MYHOSTNAME">
<Certificate certificateKeystoreFile="conf/keystore.jks"
certificateKeystorePassword="MYPASS"
certificateKeyAlias="MYALIAS"
type="RSA" />
honorCipherOrder="true"
protocols="+TLSv1 +TLSv1.1 +TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
(etc)...
TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
</SSLHostConfig>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 8.5.11 -Djava.net.debug=ssl not logging
Posted by Konstantin Kolinko <kn...@gmail.com>.
2017-04-07 22:28 GMT+03:00 Daniel Morrison <de...@hi-tech-solutions.com>:
> Problem...
> Tomcat 8.5 -Djava.net.debug=ssl not logging
1. Googling finds that it is "javax.net.debug", s/java/javax/
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
2. I wonder whether they are going to rename s/ssl/tls/ one day.
3. There is diagnostic page in the Manager webapp
In the main page of Manage webapp scroll down -> "Diagnostics" section
-> button "Connector ciphers"
4. Test tools by Christopher Schultz - see archives of this mailing
list for discussions
https://wiki.apache.org/tomcat/tools/SSLTest.java
https://wiki.apache.org/tomcat/tools/SSLUtils.java
> Porting a REST interface from Glassfish 4 to Tomcat 8.5, works fine.
> Glassfish -Djava.net.debug=ssl logs Cipher Suites to server.log.
> Tomcat 8.5 the java debug setting doesn't produce any SSL output in the
> logs.
>
> Why needed...
> Older Glassfish server SSL supports some weak ciphers.
> When clients cutover to Tomcat server, many failed to support strict
> ciphers.
> We need to log failed client ciphers to support clients transition.
>
> Comment...
> Running Tomcat on production servers with correct SSL certs, no issues.
> Docs say -Djava.net.debug=all/ssl(etc) flag should work.
> ps -ef (below) see debug setting passed to java and looks correct.
> I think I'm missing something in the logging.properties to get the debug
> output captured and passed to log - but I can't figure out what is missing?
> Is there a specific handler for the java debug output?
>
> Versions...
> Tomcat 8.5.11 (recently updated from 8.0.23)
> uname -r... 3.10.0-514.10.2.el7.x86_64 (Centos 7)
> getenforce -> Permissive
> java -version... java version "1.8.0_121" (Oracle flavor)
>
> Original Connector...
> <Connector executor="tomcatThreadPool"
> address="M.Y.I.P" port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> SSLEnabled="true" scheme="https" secure="true"
> keystoreFile="./conf/keystore.jks" keystorePass="MYPASS"
> keyAlias="MYALIAS"
> clientAuth="false"
> compression="on" compressionMinSize="2048"
> compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
> useServerCipherSuitesOrder="true" (etc)
5. Personally, I do not recommend enabling compression for dynamic
data on HTTPS connectors
https://en.wikipedia.org/wiki/BREACH
One possible solution is to precompress static files and let
DefaultServlet serve them. See "precompressed" option at
http://tomcat.apache.org/tomcat-8.5-doc/default-servlet.html
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org