You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Daniel Morrison <de...@Hi-Tech-Solutions.com> on 2017/04/07 19:28:46 UTC

Tomcat 8.5.11 -Djava.net.debug=ssl not logging

Problem...
Tomcat 8.5 -Djava.net.debug=ssl not logging

Porting a REST interface from Glassfish 4 to Tomcat 8.5, works fine.
Glassfish -Djava.net.debug=ssl logs Cipher Suites to server.log.
Tomcat 8.5 the java debug setting doesn't produce any SSL output in the 
logs.

Why needed...
Older Glassfish server SSL supports some weak ciphers.
When clients cutover to Tomcat server, many failed to support strict 
ciphers.
We need to log failed client ciphers to support clients transition.

Comment...
Running Tomcat on production servers with correct SSL certs, no issues.
Docs say -Djava.net.debug=all/ssl(etc) flag should work.
ps -ef (below) see debug setting passed to java and looks correct.
I think I'm missing something in the logging.properties to get the debug
output captured and passed to log - but I can't figure out what is missing?
Is there a specific handler for the java debug output?

Versions...
Tomcat 8.5.11 (recently updated from 8.0.23)
uname -r... 3.10.0-514.10.2.el7.x86_64 (Centos 7)
getenforce -> Permissive
java -version... java version "1.8.0_121" (Oracle flavor)

Original Connector...
<Connector executor="tomcatThreadPool"
            address="M.Y.I.P" port="443"
            protocol="org.apache.coyote.http11.Http11NioProtocol"
            SSLEnabled="true" scheme="https" secure="true"
            keystoreFile="./conf/keystore.jks" keystorePass="MYPASS"
            keyAlias="MYALIAS"
            clientAuth="false"
            compression="on" compressionMinSize="2048"
compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
            useServerCipherSuitesOrder="true" (etc)

Tried...
1.  put in setenv.sh... (shows after logging properties)
JAVA_OPTS="$JAVA_OPTS -Djava.net.debug=ssl"; export JAVA_OPTS

# ps -ef|grep java
/usr/bin/java 
-Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.properties 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 
-Duser.timezone=US/Eastern -Xms128m -Xmx1024m -server 
-Doracle.jdbc.autoCommitSpecCompliant=false -Djava.net.debug=ssl 
-Djdk.tls.ephemeralDHKeySize=2048 
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources -classpath 
/opt/apache-tomcat-8.5.11/bin/bootstrap.jar:/opt/apache-tomcat-8.5.11/bin/tomcat-juli.jar 
-Dcatalina.base=/opt/apache-tomcat-8.5.11 
-Dcatalina.home=/opt/apache-tomcat-8.5.11 
-Djava.io.tmpdir=/opt/apache-tomcat-8.5.11/temp 
org.apache.catalina.startup.Bootstrap start

2. put in start script... (shows before logging properties)
LOGGING_CONFIG="-Djava.net.debug=ssl 
-Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties"

# ps -ef|grep java
/usr/bin/java -Djava.net.debug=ssl 
-Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.properties 
-Djava.util.logging.manager=(etc...)

3. -Djava.net.debug=ssl both before AND after logging.config

4. server.xml...  (tried with and without)
       <Valve className="org.apache.catalina.valves.SSLValve" />

5. logging.properties - uncommented all properties, set to ALL (default 
file)

6. -Djava.net.debug=all - no difference

7. logging.properties - org.apache.catalina.session.level=ALL

8. reworked all Connectors to 9.0 specs...
<Connector address="M.Y.I.P" port="443"
             protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
             maxThreads="150" SSLEnabled="true"
             defaultSSLHostConfigName="MYHOSTNAME" >
      <SSLHostConfig hostName="MYHOSTNAME">
          <Certificate certificateKeystoreFile="conf/keystore.jks"
                       certificateKeystorePassword="MYPASS"
                       certificateKeyAlias="MYALIAS"
                       type="RSA" />
             honorCipherOrder="true"
             protocols="+TLSv1 +TLSv1.1 +TLSv1.2"
             ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
             (etc)...
             TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
      </SSLHostConfig>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 8.5.11 -Djava.net.debug=ssl not logging

Posted by Konstantin Kolinko <kn...@gmail.com>.

2017-04-07 22:28 GMT+03:00 Daniel Morrison <de...@hi-tech-solutions.com>:
> Problem...
> Tomcat 8.5 -Djava.net.debug=ssl not logging

1. Googling finds that it is "javax.net.debug", s/java/javax/

http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

2. I wonder whether they are going to rename s/ssl/tls/ one day.

3. There is diagnostic page in the Manager webapp
In the main page of Manage webapp scroll down -> "Diagnostics" section
-> button "Connector ciphers"

4. Test tools by Christopher Schultz - see archives of this mailing
list for discussions

https://wiki.apache.org/tomcat/tools/SSLTest.java
https://wiki.apache.org/tomcat/tools/SSLUtils.java



> Porting a REST interface from Glassfish 4 to Tomcat 8.5, works fine.
> Glassfish -Djava.net.debug=ssl logs Cipher Suites to server.log.
> Tomcat 8.5 the java debug setting doesn't produce any SSL output in the
> logs.
>
> Why needed...
> Older Glassfish server SSL supports some weak ciphers.
> When clients cutover to Tomcat server, many failed to support strict
> ciphers.
> We need to log failed client ciphers to support clients transition.
>
> Comment...
> Running Tomcat on production servers with correct SSL certs, no issues.
> Docs say -Djava.net.debug=all/ssl(etc) flag should work.
> ps -ef (below) see debug setting passed to java and looks correct.
> I think I'm missing something in the logging.properties to get the debug
> output captured and passed to log - but I can't figure out what is missing?
> Is there a specific handler for the java debug output?
>
> Versions...
> Tomcat 8.5.11 (recently updated from 8.0.23)
> uname -r... 3.10.0-514.10.2.el7.x86_64 (Centos 7)
> getenforce -> Permissive
> java -version... java version "1.8.0_121" (Oracle flavor)
>
> Original Connector...
> <Connector executor="tomcatThreadPool"
>            address="M.Y.I.P" port="443"
>            protocol="org.apache.coyote.http11.Http11NioProtocol"
>            SSLEnabled="true" scheme="https" secure="true"
>            keystoreFile="./conf/keystore.jks" keystorePass="MYPASS"
>            keyAlias="MYALIAS"
>            clientAuth="false"
>            compression="on" compressionMinSize="2048"
> compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
>            useServerCipherSuitesOrder="true" (etc)

5. Personally, I do not recommend enabling compression for dynamic
data on HTTPS connectors
https://en.wikipedia.org/wiki/BREACH

One possible solution is to precompress static files and let
DefaultServlet serve them. See "precompressed" option at
http://tomcat.apache.org/tomcat-8.5-doc/default-servlet.html

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org