You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/06/13 16:07:52 UTC
[tomcat] branch 9.0.x updated: Provide a dedicated logger for TLS handshake failures
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new bbaa645028 Provide a dedicated logger for TLS handshake failures
bbaa645028 is described below
commit bbaa64502884c4fdded3e343e0f471cd56117379
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Jun 13 17:07:23 2022 +0100
Provide a dedicated logger for TLS handshake failures
---
java/org/apache/tomcat/util/net/LocalStrings.properties | 3 +--
java/org/apache/tomcat/util/net/LocalStrings_fr.properties | 1 -
java/org/apache/tomcat/util/net/LocalStrings_ja.properties | 1 -
java/org/apache/tomcat/util/net/LocalStrings_ko.properties | 1 -
java/org/apache/tomcat/util/net/LocalStrings_zh_CN.properties | 1 -
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 6 ++++--
java/org/apache/tomcat/util/net/NioEndpoint.java | 6 ++++--
java/org/apache/tomcat/util/net/SecureNio2Channel.java | 4 +---
java/org/apache/tomcat/util/net/SecureNioChannel.java | 4 +---
webapps/docs/changelog.xml | 9 +++++++++
webapps/docs/ssl-howto.xml | 5 +++++
11 files changed, 25 insertions(+), 16 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties b/java/org/apache/tomcat/util/net/LocalStrings.properties
index ec95a7f8c2..b184b922fa 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -41,7 +41,6 @@ channel.nio.ssl.unexpectedStatusDuringUnwrap=Unexpected status [{0}] during hand
channel.nio.ssl.unexpectedStatusDuringWrap=Unexpected status [{0}] during handshake WRAP.
channel.nio.ssl.unwrapFail=Unable to unwrap data, invalid status [{0}]
channel.nio.ssl.unwrapFailResize=Unable to unwrap data because buffer is too small, invalid status [{0}]
-channel.nio.ssl.wrapException=Handshake failed during wrap
channel.nio.ssl.wrapFail=Unable to wrap data, invalid status [{0}]
endpoint.accept.fail=Socket accept failed
@@ -83,7 +82,7 @@ endpoint.err.accept=Failed to accept socket for end point [{0}]
endpoint.err.attach=Failed to attach SSLContext to socket - error [{0}]
endpoint.err.close=Caught exception trying to close socket
endpoint.err.duplicateAccept=Duplicate socket accept detected. This is a known Linux kernel bug. The original connection has been processed normally and the duplicate has been ignored. The client should be unaffected. Updating the OS to a version that uses kernel 5.10 or later should fix the duplicate accept bug.
-endpoint.err.handshake=Handshake failed
+endpoint.err.handshake=Handshake failed for client connection from IP address [{0}] and port [{1}]
endpoint.err.unexpected=Unexpected error processing socket
endpoint.executor.fail=Executor rejected socket [{0}] for processing
endpoint.getAttribute=[{0}] is [{1}]
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_fr.properties b/java/org/apache/tomcat/util/net/LocalStrings_fr.properties
index 6d66394291..7adddcb8dc 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_fr.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_fr.properties
@@ -41,7 +41,6 @@ channel.nio.ssl.unexpectedStatusDuringUnwrap=Statut inattendu [{0}] lors de l''U
channel.nio.ssl.unexpectedStatusDuringWrap=Statut inattendu [{0}] lors du WRAP de la négociation
channel.nio.ssl.unwrapFail=Incapable de désenrober les données ("unwrap data"), statut invalide [{0}]
channel.nio.ssl.unwrapFailResize=Impossible de faire l''unwrap des données parce que le tampon est trop petit, statut invalide [{0}]
-channel.nio.ssl.wrapException=La négociation a échouée pendant le wrap
channel.nio.ssl.wrapFail=Impossible d''enrober (wrap) les données, le status est invalide [{0}]
endpoint.accept.fail=Aucun socket n'a pu être accepté
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_ja.properties b/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
index fe3d6b12ae..0d475595d4 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
@@ -41,7 +41,6 @@ channel.nio.ssl.unexpectedStatusDuringUnwrap=UNWRAPハンドシェイク中に
channel.nio.ssl.unexpectedStatusDuringWrap=ハンドシェイクWRAP中に予期しないステータス [{0}] が発生しました。
channel.nio.ssl.unwrapFail=データをアンラップできません、無効なステータス [{0}]
channel.nio.ssl.unwrapFailResize=バッファが小さすぎるためデータをアンラップできません。無効なステータス [{0}]
-channel.nio.ssl.wrapException=ラップ中にハンドシェイクに失敗しました
channel.nio.ssl.wrapFail=データをラップできません。無効なステータス [{0}]
endpoint.accept.fail=ソケット受け付け失敗
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_ko.properties b/java/org/apache/tomcat/util/net/LocalStrings_ko.properties
index 16589df848..b874586e61 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_ko.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_ko.properties
@@ -41,7 +41,6 @@ channel.nio.ssl.unexpectedStatusDuringUnwrap=Handshake UNWRAP 처리 중 예기
channel.nio.ssl.unexpectedStatusDuringWrap=WRAP을 위해 handshake 수행 중 예기치 않은 상태 [{0}]입니다.
channel.nio.ssl.unwrapFail=데이터를 unwrap할 수 없습니다. 유효하지 상태: [{0}]
channel.nio.ssl.unwrapFailResize=버퍼가 너무 작아서 데이터를 unwrap할 수 없습니다. 유효하지 않은 상태 [{0}]
-channel.nio.ssl.wrapException=Wrap하는 중 handshake가 실패했습니다.
channel.nio.ssl.wrapFail=데이터를 wrap할 수 없습니다. 유효하지 않은 상태 [{0}]
endpoint.accept.fail=소켓 accept 실패
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_zh_CN.properties b/java/org/apache/tomcat/util/net/LocalStrings_zh_CN.properties
index 486dcc70f7..6ea4bbf4bb 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_zh_CN.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_zh_CN.properties
@@ -41,7 +41,6 @@ channel.nio.ssl.unexpectedStatusDuringUnwrap=握手展开期间出现意外状
channel.nio.ssl.unexpectedStatusDuringWrap=握手WRAP期间出现意外状态[{0}]。
channel.nio.ssl.unwrapFail=无法解包数据,无效状态 [{0}]
channel.nio.ssl.unwrapFailResize=由于缓冲区太小无法解包数据,无效状态 [{0}]
-channel.nio.ssl.wrapException=包装期间握手失败
channel.nio.ssl.wrapFail=无法包装数据,状态无效[{0}]
endpoint.accept.fail=套接字接受失败
diff --git a/java/org/apache/tomcat/util/net/Nio2Endpoint.java b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
index 49ee411016..5386b6e0bd 100644
--- a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+++ b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
@@ -59,6 +59,7 @@ public class Nio2Endpoint extends AbstractJsseEndpoint<Nio2Channel,AsynchronousS
private static final Log log = LogFactory.getLog(Nio2Endpoint.class);
+ private static final Log logHandshake = LogFactory.getLog(Nio2Endpoint.class.getName() + ".handshake");
// ----------------------------------------------------------------- Fields
@@ -1688,8 +1689,9 @@ public class Nio2Endpoint extends AbstractJsseEndpoint<Nio2Channel,AsynchronousS
}
} catch (IOException x) {
handshake = -1;
- if (log.isDebugEnabled()) {
- log.debug(sm.getString("endpoint.err.handshake"), x);
+ if (logHandshake.isDebugEnabled()) {
+ logHandshake.debug(sm.getString("endpoint.err.handshake",
+ socketWrapper.getRemoteAddr(), Integer.toString(socketWrapper.getRemotePort())), x);
}
}
if (handshake == 0) {
diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java
index a43d8ebda8..bd637311a9 100644
--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
@@ -83,6 +83,7 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel,SocketChannel>
private static final Log log = LogFactory.getLog(NioEndpoint.class);
+ private static final Log logHandshake = LogFactory.getLog(NioEndpoint.class.getName() + ".handshake");
public static final int OP_REGISTER = 0x100; //register interest op
@@ -1772,8 +1773,9 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel,SocketChannel>
}
} catch (IOException x) {
handshake = -1;
- if (log.isDebugEnabled()) {
- log.debug(sm.getString("endpoint.err.handshake"),x);
+ if (logHandshake.isDebugEnabled()) {
+ logHandshake.debug(sm.getString("endpoint.err.handshake",
+ socketWrapper.getRemoteAddr(), Integer.toString(socketWrapper.getRemotePort())), x);
}
} catch (CancelledKeyException ckx) {
handshake = -1;
diff --git a/java/org/apache/tomcat/util/net/SecureNio2Channel.java b/java/org/apache/tomcat/util/net/SecureNio2Channel.java
index f0e4bb7636..0016b01bb4 100644
--- a/java/org/apache/tomcat/util/net/SecureNio2Channel.java
+++ b/java/org/apache/tomcat/util/net/SecureNio2Channel.java
@@ -283,10 +283,8 @@ public class SecureNio2Channel extends Nio2Channel {
try {
handshake = handshakeWrap();
} catch (SSLException e) {
- if (log.isDebugEnabled()) {
- log.debug(sm.getString("channel.nio.ssl.wrapException"), e);
- }
handshake = handshakeWrap();
+ throw e;
}
if (handshake.getStatus() == Status.OK) {
if (handshakeStatus == HandshakeStatus.NEED_TASK) {
diff --git a/java/org/apache/tomcat/util/net/SecureNioChannel.java b/java/org/apache/tomcat/util/net/SecureNioChannel.java
index 6e08db9d91..4b49792fce 100644
--- a/java/org/apache/tomcat/util/net/SecureNioChannel.java
+++ b/java/org/apache/tomcat/util/net/SecureNioChannel.java
@@ -189,10 +189,8 @@ public class SecureNioChannel extends NioChannel {
try {
handshake = handshakeWrap(write);
} catch (SSLException e) {
- if (log.isDebugEnabled()) {
- log.debug(sm.getString("channel.nio.ssl.wrapException"), e);
- }
handshake = handshakeWrap(write);
+ throw e;
}
if (handshake.getStatus() == Status.OK) {
if (handshakeStatus == HandshakeStatus.NEED_TASK) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 411f7cbc37..a7e484b690 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -114,6 +114,15 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <add>
+ Provide a dedicated logger
+ (<code>org.apache.tomcat.util.net.NioEndpoint.handshake</code>) for TLS
+ handshake failures. (markt)
+ </add>
+ </changelog>
+ </subsection>
<subsection name="Jasper">
<changelog>
<add>
diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml
index 62bef32a85..dd357d9e53 100644
--- a/webapps/docs/ssl-howto.xml
+++ b/webapps/docs/ssl-howto.xml
@@ -565,6 +565,11 @@ for more information about installation of APR. A basic OCSP-enabled connector
<section name="Troubleshooting">
+<p>Additional information may be obtained about TLS handshake failures by
+configuring the dedicated TLS handshake logger to log debug level messages by
+adding the following to <code>$CATALINA_BASE/conf/logging.properties</code>:</p>
+<source>org.apache.tomcat.util.net.NioEndpoint.handshake.level=FINE</source>
+
<p>Here is a list of common problems that you may encounter when setting up
SSL communications, and what to do about them.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org