You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by jo...@wellsfargo.com.INVALID on 2023/01/06 18:52:25 UTC
Basic SSL Certificate Usage logging
Good afternoon and Happy New Year,
I know about the SSL debug logging, however, I'm checking to see if there is any out-of-the-box option to capture in a log which SSL certificate and trust keystore is being used during startup?
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
:-) Christopher,
This is where my not being a developer really shines out. :-)
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Tuesday, January 10, 2023 4:27 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> Jon,
>
> On 1/10/23 13:37, jonmcalexander@wellsfargo.com.INVALID wrote:
> > Ultimately it would be nice to be able to log it in Jason format for
> > ingestion by Elastic or something similar.
> If you want JSON-formatted logs, then configure JSON-formatted logs.
> JSON embedded in JSON is a little silly:
>
> {
> "timestamp":"2023-01-10T22:24:00Z",
> "level":"INFO",
> "logger":"org.apache.tomcat.util.net.AbstractEndpoint.logCertificate"
>
> "message":"{\"tlsVirtualHost\":\"_default_\",\"tlsCertificateType\":\"RSA\",
> ... }"
> }
>
> Isn't this what logstash is for?
>
> -chris
>
> >> -----Original Message-----
> >> From: Christopher Schultz <ch...@christopherschultz.net>
> >> Sent: Tuesday, January 10, 2023 7:52 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> Jon,
> >>
> >> On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>> Yes Chris, It's just for during startup. For a particular instance I
> >>> would like to capture the Certificate Info and Truststore being used
> >>> and pipe that into a separate log/txt file.
> >> So it sounds like just dumping-out the configured certificates, etc.
> >> to something like the debug log from Connector or SSLHostConfig or
> >> similar would work?
> >>
> >> Or would you want that information available to the application so
> >> you can log it in some very specific way? Note that you can already
> >> get the SSLHostConfig info via JMX if you are willing to do that.
> >>
> >> -chris
> >>
> >>>
> >>> Thanks,
> >>>
> >>> Dream * Excel * Explore * Inspire
> >>> Jon McAlexander
> >>> Senior Infrastructure Engineer
> >>> Asst. Vice President
> >>> He/His
> >>>
> >>> Middleware Product Engineering
> >>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>
> >>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>> MAC: F4469-010
> >>> Tel 515-988-2508 | Cell 515-988-2508
> >>>
> >>> jonmcalexander@wellsfargo.com
> >>> This message may contain confidential and/or privileged information.
> >>> If you
> >> are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>>
> >>>> -----Original Message-----
> >>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>> Sent: Monday, January 9, 2023 8:10 AM
> >>>> To: users@tomcat.apache.org
> >>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>
> >>>> Jon,
> >>>>
> >>>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>>> Thanks for the info.
> >>>>>
> >>>>> In a nutshell I think the certpath,provider would be sufficient.
> >>>>> I'm thinking that I can add this to the java options as
> >>>>> -Djava.security.debug=ssl:certpath,provider however I don't know
> >>>>> how to specify where to log the information.
> >>>> java.security.debug is really a blunt instrument. It's unfortunate
> >>>> that it's one of the only ways to get information out of the TLS
> >>>> stack. It would have been great if Java had started using its own
> >>>> logging system once it was introduced, but no.
> >>>>
> >>>> That debugging tool always dumps to stdout (or stderr?) and you
> >>>> have very little control over where it goes.
> >>>>
> >>>> You would never want to use it for ongoing logging. It truly is for
> >>>> debugging- only.
> >>>>
> >>>> The good news is that application code should be able to get the
> >>>> information you are looking for.
> >>>>
> >>>> Oh, wait...
> >>>>
> >>>>> [...] I'm checking to see if there is any out-of-the-box option to
> >>>>> capture in a log which SSL certificate and trust keystore is being
> >>>>> used during startup?
> >>>> What do you mean "during startup"? I originally read that as "for
> >>>> incoming connections" thinking that you wanted to log which cert
> >>>> was used for a particular request. But it sounds like maybe you are
> >>>> asking for something to just be logged one-time during startup?
> >>>>
> >>>> -chris
> >>>>
> >>>>>
> >>>>> Thanks,
> >>>>>
> >>>>> Dream * Excel * Explore * Inspire
> >>>>> Jon McAlexander
> >>>>> Senior Infrastructure Engineer
> >>>>> Asst. Vice President
> >>>>> He/His
> >>>>>
> >>>>> Middleware Product Engineering
> >>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>>
> >>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>> MAC: F4469-010
> >>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>
> >>>>> jonmcalexander@wellsfargo.com
> >>>>> This message may contain confidential and/or privileged information.
> >>>>> If you
> >>>> are not the addressee or authorized to receive this for the
> >>>> addressee, you must not use, copy, disclose, or take any action
> >>>> based on this message or any information herein. If you have
> >>>> received this message in error, please advise the sender
> >>>> immediately by reply e-mail and delete this message. Thank you for
> your cooperation.
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>>>> Sent: Friday, January 6, 2023 2:41 PM
> >>>>>> To: users@tomcat.apache.org
> >>>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>>
> >>>>>> Mark,
> >>>>>>
> >>>>>> On 1/6/23 15:00, Mark Thomas wrote:
> >>>>>>> Hi Jon,
> >>>>>>>
> >>>>>>> In a word, no. Sorry.
> >>>>>>>
> >>>>>>> Some sort of info log message probably makes sense for this. SNI
> >>>>>>> makes things a little more complicated but we should be able to
> >>>>>>> do
> >>>> something.
> >>>>>>> What is the minimum info you'd like to see?
> >>>>>>
> >>>>>> How about adding a request attribute with some kind of identifier
> (fpr?
> >>>>>> serial-number?) in it and indicates at least which server-cert
> >>>>>> was
> >> chosen.
> >>>>>> Then it can trivially be added to e.g. access_log or even to
> >>>>>> application code which wants to do custom logging.
> >>>>>>
> >>>>>> -chris
> >>>>>>
> >>>>>>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID
> >> wrote:
> >>>>>>>> Good afternoon and Happy New Year,
> >>>>>>>>
> >>>>>>>> I know about the SSL debug logging, however, I'm checking to
> >>>>>>>> see if there is any out-of-the-box option to capture in a log
> >>>>>>>> which SSL certificate and trust keystore is being used during
> startup?
> >>>>>>>>
> >>>>>>>> Thanks,
> >>>>>>>>
> >>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>>>
> >>>>>>>> Middleware Product Engineering
> >>>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>>>>>
> >>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>>>> MAC: F4469-010
> >>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
> >>>>>>>> This message may contain confidential and/or privileged
> >> information.
> >>>>>>>> If you are not the addressee or authorized to receive this for
> >>>>>>>> the addressee, you must not use, copy, disclose, or take any
> >>>>>>>> action based on this message or any information herein. If you
> >>>>>>>> have received this message in error, please advise the sender
> >>>>>>>> immediately by reply e-mail and delete this message. Thank you
> >>>>>>>> for
> >>>> your cooperation.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>> ----------------------------------------------------------------
> >>>>>>> --
> >>>>>>> --
> >>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>>
> >>>>>>
> >>>>>> -----------------------------------------------------------------
> >>>>>> --
> >>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>
> >>>>>
> >>>>> ------------------------------------------------------------------
> >>>>> --
> >>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>
> >>>>
> >>>> -------------------------------------------------------------------
> >>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>>
> >>> --------------------------------------------------------------------
> >>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jon,
On 1/10/23 13:37, jonmcalexander@wellsfargo.com.INVALID wrote:
> Ultimately it would be nice to be able to log it in Jason format for
> ingestion by Elastic or something similar.
If you want JSON-formatted logs, then configure JSON-formatted logs.
JSON embedded in JSON is a little silly:
{
"timestamp":"2023-01-10T22:24:00Z",
"level":"INFO",
"logger":"org.apache.tomcat.util.net.AbstractEndpoint.logCertificate"
"message":"{\"tlsVirtualHost\":\"_default_\",\"tlsCertificateType\":\"RSA\",
... }"
}
Isn't this what logstash is for?
-chris
>> -----Original Message-----
>> From: Christopher Schultz <ch...@christopherschultz.net>
>> Sent: Tuesday, January 10, 2023 7:52 AM
>> To: users@tomcat.apache.org
>> Subject: Re: Basic SSL Certificate Usage logging
>>
>> Jon,
>>
>> On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
>>> Yes Chris, It's just for during startup. For a particular instance I
>>> would like to capture the Certificate Info and Truststore being used
>>> and pipe that into a separate log/txt file.
>> So it sounds like just dumping-out the configured certificates, etc. to
>> something like the debug log from Connector or SSLHostConfig or similar
>> would work?
>>
>> Or would you want that information available to the application so you can
>> log it in some very specific way? Note that you can already get the
>> SSLHostConfig info via JMX if you are willing to do that.
>>
>> -chris
>>
>>>
>>> Thanks,
>>>
>>> Dream * Excel * Explore * Inspire
>>> Jon McAlexander
>>> Senior Infrastructure Engineer
>>> Asst. Vice President
>>> He/His
>>>
>>> Middleware Product Engineering
>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>
>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>> MAC: F4469-010
>>> Tel 515-988-2508 | Cell 515-988-2508
>>>
>>> jonmcalexander@wellsfargo.com
>>> This message may contain confidential and/or privileged information. If you
>> are not the addressee or authorized to receive this for the addressee, you
>> must not use, copy, disclose, or take any action based on this message or any
>> information herein. If you have received this message in error, please advise
>> the sender immediately by reply e-mail and delete this message. Thank you
>> for your cooperation.
>>>
>>>> -----Original Message-----
>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>> Sent: Monday, January 9, 2023 8:10 AM
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>
>>>> Jon,
>>>>
>>>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>> Thanks for the info.
>>>>>
>>>>> In a nutshell I think the certpath,provider would be sufficient. I'm
>>>>> thinking that I can add this to the java options as
>>>>> -Djava.security.debug=ssl:certpath,provider however I don't know how
>>>>> to specify where to log the information.
>>>> java.security.debug is really a blunt instrument. It's unfortunate
>>>> that it's one of the only ways to get information out of the TLS
>>>> stack. It would have been great if Java had started using its own
>>>> logging system once it was introduced, but no.
>>>>
>>>> That debugging tool always dumps to stdout (or stderr?) and you have
>>>> very little control over where it goes.
>>>>
>>>> You would never want to use it for ongoing logging. It truly is for
>>>> debugging- only.
>>>>
>>>> The good news is that application code should be able to get the
>>>> information you are looking for.
>>>>
>>>> Oh, wait...
>>>>
>>>>> [...] I'm checking to see if there is any out-of-the-box option to
>>>>> capture in a log which SSL certificate and trust keystore is being
>>>>> used during startup?
>>>> What do you mean "during startup"? I originally read that as "for
>>>> incoming connections" thinking that you wanted to log which cert was
>>>> used for a particular request. But it sounds like maybe you are
>>>> asking for something to just be logged one-time during startup?
>>>>
>>>> -chris
>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Dream * Excel * Explore * Inspire
>>>>> Jon McAlexander
>>>>> Senior Infrastructure Engineer
>>>>> Asst. Vice President
>>>>> He/His
>>>>>
>>>>> Middleware Product Engineering
>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>
>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>> MAC: F4469-010
>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>
>>>>> jonmcalexander@wellsfargo.com
>>>>> This message may contain confidential and/or privileged information.
>>>>> If you
>>>> are not the addressee or authorized to receive this for the
>>>> addressee, you must not use, copy, disclose, or take any action based
>>>> on this message or any information herein. If you have received this
>>>> message in error, please advise the sender immediately by reply
>>>> e-mail and delete this message. Thank you for your cooperation.
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>>>> Sent: Friday, January 6, 2023 2:41 PM
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>>>
>>>>>> Mark,
>>>>>>
>>>>>> On 1/6/23 15:00, Mark Thomas wrote:
>>>>>>> Hi Jon,
>>>>>>>
>>>>>>> In a word, no. Sorry.
>>>>>>>
>>>>>>> Some sort of info log message probably makes sense for this. SNI
>>>>>>> makes things a little more complicated but we should be able to do
>>>> something.
>>>>>>> What is the minimum info you'd like to see?
>>>>>>
>>>>>> How about adding a request attribute with some kind of identifier (fpr?
>>>>>> serial-number?) in it and indicates at least which server-cert was
>> chosen.
>>>>>> Then it can trivially be added to e.g. access_log or even to
>>>>>> application code which wants to do custom logging.
>>>>>>
>>>>>> -chris
>>>>>>
>>>>>>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID
>> wrote:
>>>>>>>> Good afternoon and Happy New Year,
>>>>>>>>
>>>>>>>> I know about the SSL debug logging, however, I'm checking to see
>>>>>>>> if there is any out-of-the-box option to capture in a log which
>>>>>>>> SSL certificate and trust keystore is being used during startup?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
>>>>>>>>
>>>>>>>> Middleware Product Engineering
>>>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>>>>
>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>>>> MAC: F4469-010
>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
>>>>>>>> This message may contain confidential and/or privileged
>> information.
>>>>>>>> If you are not the addressee or authorized to receive this for
>>>>>>>> the addressee, you must not use, copy, disclose, or take any
>>>>>>>> action based on this message or any information herein. If you
>>>>>>>> have received this message in error, please advise the sender
>>>>>>>> immediately by reply e-mail and delete this message. Thank you
>>>>>>>> for
>>>> your cooperation.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------
>>>>>>> --
>>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------
>>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>> --------------------------------------------------------------------
>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
Ultimately it would be nice to be able to log it in Jason format for ingestion by Elastic or something similar.
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Tuesday, January 10, 2023 7:52 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> Jon,
>
> On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
> > Yes Chris, It's just for during startup. For a particular instance I
> > would like to capture the Certificate Info and Truststore being used
> > and pipe that into a separate log/txt file.
> So it sounds like just dumping-out the configured certificates, etc. to
> something like the debug log from Connector or SSLHostConfig or similar
> would work?
>
> Or would you want that information available to the application so you can
> log it in some very specific way? Note that you can already get the
> SSLHostConfig info via JMX if you are willing to do that.
>
> -chris
>
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexander@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >> -----Original Message-----
> >> From: Christopher Schultz <ch...@christopherschultz.net>
> >> Sent: Monday, January 9, 2023 8:10 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> Jon,
> >>
> >> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>> Thanks for the info.
> >>>
> >>> In a nutshell I think the certpath,provider would be sufficient. I'm
> >>> thinking that I can add this to the java options as
> >>> -Djava.security.debug=ssl:certpath,provider however I don't know how
> >>> to specify where to log the information.
> >> java.security.debug is really a blunt instrument. It's unfortunate
> >> that it's one of the only ways to get information out of the TLS
> >> stack. It would have been great if Java had started using its own
> >> logging system once it was introduced, but no.
> >>
> >> That debugging tool always dumps to stdout (or stderr?) and you have
> >> very little control over where it goes.
> >>
> >> You would never want to use it for ongoing logging. It truly is for
> >> debugging- only.
> >>
> >> The good news is that application code should be able to get the
> >> information you are looking for.
> >>
> >> Oh, wait...
> >>
> >>> [...] I'm checking to see if there is any out-of-the-box option to
> >>> capture in a log which SSL certificate and trust keystore is being
> >>> used during startup?
> >> What do you mean "during startup"? I originally read that as "for
> >> incoming connections" thinking that you wanted to log which cert was
> >> used for a particular request. But it sounds like maybe you are
> >> asking for something to just be logged one-time during startup?
> >>
> >> -chris
> >>
> >>>
> >>> Thanks,
> >>>
> >>> Dream * Excel * Explore * Inspire
> >>> Jon McAlexander
> >>> Senior Infrastructure Engineer
> >>> Asst. Vice President
> >>> He/His
> >>>
> >>> Middleware Product Engineering
> >>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>
> >>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>> MAC: F4469-010
> >>> Tel 515-988-2508 | Cell 515-988-2508
> >>>
> >>> jonmcalexander@wellsfargo.com
> >>> This message may contain confidential and/or privileged information.
> >>> If you
> >> are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>>
> >>>> -----Original Message-----
> >>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>> Sent: Friday, January 6, 2023 2:41 PM
> >>>> To: users@tomcat.apache.org
> >>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>
> >>>> Mark,
> >>>>
> >>>> On 1/6/23 15:00, Mark Thomas wrote:
> >>>>> Hi Jon,
> >>>>>
> >>>>> In a word, no. Sorry.
> >>>>>
> >>>>> Some sort of info log message probably makes sense for this. SNI
> >>>>> makes things a little more complicated but we should be able to do
> >> something.
> >>>>> What is the minimum info you'd like to see?
> >>>>
> >>>> How about adding a request attribute with some kind of identifier (fpr?
> >>>> serial-number?) in it and indicates at least which server-cert was
> chosen.
> >>>> Then it can trivially be added to e.g. access_log or even to
> >>>> application code which wants to do custom logging.
> >>>>
> >>>> -chris
> >>>>
> >>>>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID
> wrote:
> >>>>>> Good afternoon and Happy New Year,
> >>>>>>
> >>>>>> I know about the SSL debug logging, however, I'm checking to see
> >>>>>> if there is any out-of-the-box option to capture in a log which
> >>>>>> SSL certificate and trust keystore is being used during startup?
> >>>>>>
> >>>>>> Thanks,
> >>>>>>
> >>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>
> >>>>>> Middleware Product Engineering
> >>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>>>
> >>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>> MAC: F4469-010
> >>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>
> >>>>>>
> >>>>
> >>
> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
> >>>>>> This message may contain confidential and/or privileged
> information.
> >>>>>> If you are not the addressee or authorized to receive this for
> >>>>>> the addressee, you must not use, copy, disclose, or take any
> >>>>>> action based on this message or any information herein. If you
> >>>>>> have received this message in error, please advise the sender
> >>>>>> immediately by reply e-mail and delete this message. Thank you
> >>>>>> for
> >> your cooperation.
> >>>>>>
> >>>>>>
> >>>>>
> >>>>> ------------------------------------------------------------------
> >>>>> --
> >>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>
> >>>>
> >>>> -------------------------------------------------------------------
> >>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>>
> >>> --------------------------------------------------------------------
> >>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 1/10/23 09:22, Mark Thomas wrote:
> On 10/01/2023 13:52, Christopher Schultz wrote:
>> Jon,
>>
>> On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
>>> Yes Chris, It's just for during startup. For a particular instance I
>>> would like to capture the Certificate Info and Truststore being used
>>> and pipe that into a separate log/txt file.
>> So it sounds like just dumping-out the configured certificates, etc.
>> to something like the debug log from Connector or SSLHostConfig or
>> similar would work?
>>
>> Or would you want that information available to the application so you
>> can log it in some very specific way? Note that you can already get
>> the SSLHostConfig info via JMX if you are willing to do that.
>
> How about something like this:
>
> 10-Jan-2023 14:21:07.951 INFO [main]
> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type
> [RSA] configured from [conf/localhost-rsa.jks] using alias [null] and
> with trust store [null]
>
> ?
How about also including the cert fingerprint?
I think that's a very helpful item to include.
-chris
>>>> -----Original Message-----
>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>> Sent: Monday, January 9, 2023 8:10 AM
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>
>>>> Jon,
>>>>
>>>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>> Thanks for the info.
>>>>>
>>>>> In a nutshell I think the certpath,provider would be sufficient. I'm
>>>>> thinking that I can add this to the java options as
>>>>> -Djava.security.debug=ssl:certpath,provider however I don't know how
>>>>> to specify where to log the information.
>>>> java.security.debug is really a blunt instrument. It's unfortunate
>>>> that it's one
>>>> of the only ways to get information out of the TLS stack. It would
>>>> have been
>>>> great if Java had started using its own logging system once it was
>>>> introduced,
>>>> but no.
>>>>
>>>> That debugging tool always dumps to stdout (or stderr?) and you have
>>>> very
>>>> little control over where it goes.
>>>>
>>>> You would never want to use it for ongoing logging. It truly is for
>>>> debugging-
>>>> only.
>>>>
>>>> The good news is that application code should be able to get the
>>>> information
>>>> you are looking for.
>>>>
>>>> Oh, wait...
>>>>
>>>>> [...] I'm checking to see if there is any out-of-the-box option to
>>>>> capture in a log which SSL certificate and trust keystore is being
>>>>> used during startup?
>>>> What do you mean "during startup"? I originally read that as "for
>>>> incoming
>>>> connections" thinking that you wanted to log which cert was used for a
>>>> particular request. But it sounds like maybe you are asking for
>>>> something to
>>>> just be logged one-time during startup?
>>>>
>>>> -chris
>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Dream * Excel * Explore * Inspire
>>>>> Jon McAlexander
>>>>> Senior Infrastructure Engineer
>>>>> Asst. Vice President
>>>>> He/His
>>>>>
>>>>> Middleware Product Engineering
>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>
>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>> MAC: F4469-010
>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>
>>>>> jonmcalexander@wellsfargo.com
>>>>> This message may contain confidential and/or privileged
>>>>> information. If you
>>>> are not the addressee or authorized to receive this for the
>>>> addressee, you
>>>> must not use, copy, disclose, or take any action based on this
>>>> message or any
>>>> information herein. If you have received this message in error,
>>>> please advise
>>>> the sender immediately by reply e-mail and delete this message.
>>>> Thank you
>>>> for your cooperation.
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>>>> Sent: Friday, January 6, 2023 2:41 PM
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>>>
>>>>>> Mark,
>>>>>>
>>>>>> On 1/6/23 15:00, Mark Thomas wrote:
>>>>>>> Hi Jon,
>>>>>>>
>>>>>>> In a word, no. Sorry.
>>>>>>>
>>>>>>> Some sort of info log message probably makes sense for this. SNI
>>>>>>> makes things a little more complicated but we should be able to do
>>>> something.
>>>>>>> What is the minimum info you'd like to see?
>>>>>>
>>>>>> How about adding a request attribute with some kind of identifier
>>>>>> (fpr?
>>>>>> serial-number?) in it and indicates at least which server-cert was
>>>>>> chosen.
>>>>>> Then it can trivially be added to e.g. access_log or even to
>>>>>> application code which wants to do custom logging.
>>>>>>
>>>>>> -chris
>>>>>>
>>>>>>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>>>>> Good afternoon and Happy New Year,
>>>>>>>>
>>>>>>>> I know about the SSL debug logging, however, I'm checking to see if
>>>>>>>> there is any out-of-the-box option to capture in a log which SSL
>>>>>>>> certificate and trust keystore is being used during startup?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Dream * Excel * Explore * Inspire
>>>>>>>> Jon McAlexander
>>>>>>>> Senior Infrastructure Engineer
>>>>>>>> Asst. Vice President
>>>>>>>> He/His
>>>>>>>>
>>>>>>>> Middleware Product Engineering
>>>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>>>>
>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>>>> MAC: F4469-010
>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>>>
>>>>>>>>
>>>>>>
>>>> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
>>>>>>>> This message may contain confidential and/or privileged
>>>>>>>> information.
>>>>>>>> If you are not the addressee or authorized to receive this for the
>>>>>>>> addressee, you must not use, copy, disclose, or take any action
>>>>>>>> based on this message or any information herein. If you have
>>>>>>>> received this message in error, please advise the sender
>>>>>>>> immediately by reply e-mail and delete this message. Thank you for
>>>> your cooperation.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --------------------------------------------------------------------
>>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
Can we include valid to dates?
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Tuesday, January 10, 2023 8:23 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> On 10/01/2023 13:52, Christopher Schultz wrote:
> > Jon,
> >
> > On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
> >> Yes Chris, It's just for during startup. For a particular instance I
> >> would like to capture the Certificate Info and Truststore being used
> >> and pipe that into a separate log/txt file.
> > So it sounds like just dumping-out the configured certificates, etc.
> > to something like the debug log from Connector or SSLHostConfig or
> > similar would work?
> >
> > Or would you want that information available to the application so you
> > can log it in some very specific way? Note that you can already get
> > the SSLHostConfig info via JMX if you are willing to do that.
>
> How about something like this:
>
> 10-Jan-2023 14:21:07.951 INFO [main]
> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type [RSA]
> configured from [conf/localhost-rsa.jks] using alias [null] and with trust store
> [null]
>
> ?
>
> Mark
>
> >
> > -chris
> >
> >>
> >> Thanks,
> >>
> >> Dream * Excel * Explore * Inspire
> >> Jon McAlexander
> >> Senior Infrastructure Engineer
> >> Asst. Vice President
> >> He/His
> >>
> >> Middleware Product Engineering
> >> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>
> >> 8080 Cobblestone Rd | Urbandale, IA 50322
> >> MAC: F4469-010
> >> Tel 515-988-2508 | Cell 515-988-2508
> >>
> >> jonmcalexander@wellsfargo.com
> >> This message may contain confidential and/or privileged information.
> >> If you are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>
> >>> -----Original Message-----
> >>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>> Sent: Monday, January 9, 2023 8:10 AM
> >>> To: users@tomcat.apache.org
> >>> Subject: Re: Basic SSL Certificate Usage logging
> >>>
> >>> Jon,
> >>>
> >>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>> Thanks for the info.
> >>>>
> >>>> In a nutshell I think the certpath,provider would be sufficient.
> >>>> I'm thinking that I can add this to the java options as
> >>>> -Djava.security.debug=ssl:certpath,provider however I don't know
> >>>> how to specify where to log the information.
> >>> java.security.debug is really a blunt instrument. It's unfortunate
> >>> that it's one of the only ways to get information out of the TLS
> >>> stack. It would have been great if Java had started using its own
> >>> logging system once it was introduced, but no.
> >>>
> >>> That debugging tool always dumps to stdout (or stderr?) and you have
> >>> very little control over where it goes.
> >>>
> >>> You would never want to use it for ongoing logging. It truly is for
> >>> debugging-
> >>> only.
> >>>
> >>> The good news is that application code should be able to get the
> >>> information you are looking for.
> >>>
> >>> Oh, wait...
> >>>
> >>>> [...] I'm checking to see if there is any out-of-the-box option to
> >>>> capture in a log which SSL certificate and trust keystore is being
> >>>> used during startup?
> >>> What do you mean "during startup"? I originally read that as "for
> >>> incoming connections" thinking that you wanted to log which cert was
> >>> used for a particular request. But it sounds like maybe you are
> >>> asking for something to just be logged one-time during startup?
> >>>
> >>> -chris
> >>>
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Dream * Excel * Explore * Inspire
> >>>> Jon McAlexander
> >>>> Senior Infrastructure Engineer
> >>>> Asst. Vice President
> >>>> He/His
> >>>>
> >>>> Middleware Product Engineering
> >>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>
> >>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>> MAC: F4469-010
> >>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>
> >>>> jonmcalexander@wellsfargo.com
> >>>> This message may contain confidential and/or privileged information.
> >>>> If you
> >>> are not the addressee or authorized to receive this for the
> >>> addressee, you must not use, copy, disclose, or take any action
> >>> based on this message or any information herein. If you have
> >>> received this message in error, please advise the sender immediately
> >>> by reply e-mail and delete this message. Thank you for your
> >>> cooperation.
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>>> Sent: Friday, January 6, 2023 2:41 PM
> >>>>> To: users@tomcat.apache.org
> >>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>
> >>>>> Mark,
> >>>>>
> >>>>> On 1/6/23 15:00, Mark Thomas wrote:
> >>>>>> Hi Jon,
> >>>>>>
> >>>>>> In a word, no. Sorry.
> >>>>>>
> >>>>>> Some sort of info log message probably makes sense for this. SNI
> >>>>>> makes things a little more complicated but we should be able to
> >>>>>> do
> >>> something.
> >>>>>> What is the minimum info you'd like to see?
> >>>>>
> >>>>> How about adding a request attribute with some kind of identifier
> >>>>> (fpr?
> >>>>> serial-number?) in it and indicates at least which server-cert was
> >>>>> chosen.
> >>>>> Then it can trivially be added to e.g. access_log or even to
> >>>>> application code which wants to do custom logging.
> >>>>>
> >>>>> -chris
> >>>>>
> >>>>>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID
> wrote:
> >>>>>>> Good afternoon and Happy New Year,
> >>>>>>>
> >>>>>>> I know about the SSL debug logging, however, I'm checking to see
> >>>>>>> if there is any out-of-the-box option to capture in a log which
> >>>>>>> SSL certificate and trust keystore is being used during startup?
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>>
> >>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>>
> >>>>>>> Middleware Product Engineering
> >>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>>>>
> >>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>>> MAC: F4469-010
> >>>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>>
> >>>>>>>
> >>>>>
> >>>
> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
> >>>>>>> This message may contain confidential and/or privileged
> information.
> >>>>>>> If you are not the addressee or authorized to receive this for
> >>>>>>> the addressee, you must not use, copy, disclose, or take any
> >>>>>>> action based on this message or any information herein. If you
> >>>>>>> have received this message in error, please advise the sender
> >>>>>>> immediately by reply e-mail and delete this message. Thank you
> >>>>>>> for
> >>> your cooperation.
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> -----------------------------------------------------------------
> >>>>>> ---
> >>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>
> >>>>>
> >>>>> ------------------------------------------------------------------
> >>>>> --- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>>> -------------------------------------------------------------------
> >>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>
> >>> --------------------------------------------------------------------
> >>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
Awesome Possum Boss!!!
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, February 8, 2023 10:37 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> On 08/02/2023 16:24, jonmcalexander@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > So, is this something that can/will be added in the future? I tested my
> thought of setting the java logging.properties to a specific file in the
> command line but it didn't do what I had hoped.
>
> Already added. Will be in the next round of releases.
>
> Mark
>
>
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexander@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -----Original Message-----
> >> From: Mark Thomas <ma...@apache.org>
> >> Sent: Tuesday, January 10, 2023 8:23 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/01/2023 13:52, Christopher Schultz wrote:
> >>> Jon,
> >>>
> >>> On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>> Yes Chris, It's just for during startup. For a particular instance
> >>>> I would like to capture the Certificate Info and Truststore being
> >>>> used and pipe that into a separate log/txt file.
> >>> So it sounds like just dumping-out the configured certificates, etc.
> >>> to something like the debug log from Connector or SSLHostConfig or
> >>> similar would work?
> >>>
> >>> Or would you want that information available to the application so
> >>> you can log it in some very specific way? Note that you can already
> >>> get the SSLHostConfig info via JMX if you are willing to do that.
> >>
> >> How about something like this:
> >>
> >> 10-Jan-2023 14:21:07.951 INFO [main]
> >> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> >> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type
> >> [RSA] configured from [conf/localhost-rsa.jks] using alias [null] and
> >> with trust store [null]
> >>
> >> ?
> >>
> >> Mark
> >>
> >>>
> >>> -chris
> >>>
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Dream * Excel * Explore * Inspire
> >>>> Jon McAlexander
> >>>> Senior Infrastructure Engineer
> >>>> Asst. Vice President
> >>>> He/His
> >>>>
> >>>> Middleware Product Engineering
> >>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>
> >>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>> MAC: F4469-010
> >>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>
> >>>> jonmcalexander@wellsfargo.com
> >>>> This message may contain confidential and/or privileged information.
> >>>> If you are not the addressee or authorized to receive this for the
> >>>> addressee, you must not use, copy, disclose, or take any action
> >>>> based on this message or any information herein. If you have
> >>>> received this message in error, please advise the sender
> >>>> immediately by reply e-mail and delete this message. Thank you for
> your cooperation.
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>>> Sent: Monday, January 9, 2023 8:10 AM
> >>>>> To: users@tomcat.apache.org
> >>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>
> >>>>> Jon,
> >>>>>
> >>>>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>>>> Thanks for the info.
> >>>>>>
> >>>>>> In a nutshell I think the certpath,provider would be sufficient.
> >>>>>> I'm thinking that I can add this to the java options as
> >>>>>> -Djava.security.debug=ssl:certpath,provider however I don't know
> >>>>>> how to specify where to log the information.
> >>>>> java.security.debug is really a blunt instrument. It's unfortunate
> >>>>> that it's one of the only ways to get information out of the TLS
> >>>>> stack. It would have been great if Java had started using its own
> >>>>> logging system once it was introduced, but no.
> >>>>>
> >>>>> That debugging tool always dumps to stdout (or stderr?) and you
> >>>>> have very little control over where it goes.
> >>>>>
> >>>>> You would never want to use it for ongoing logging. It truly is
> >>>>> for
> >>>>> debugging-
> >>>>> only.
> >>>>>
> >>>>> The good news is that application code should be able to get the
> >>>>> information you are looking for.
> >>>>>
> >>>>> Oh, wait...
> >>>>>
> >>>>>> [...] I'm checking to see if there is any out-of-the-box option
> >>>>>> to capture in a log which SSL certificate and trust keystore is
> >>>>>> being used during startup?
> >>>>> What do you mean "during startup"? I originally read that as "for
> >>>>> incoming connections" thinking that you wanted to log which cert
> >>>>> was used for a particular request. But it sounds like maybe you
> >>>>> are asking for something to just be logged one-time during startup?
> >>>>>
> >>>>> -chris
> >>>>>
> >>>>>>
> >>>>>> Thanks,
> >>>>>>
> >>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>
> >>>>>> Middleware Product Engineering
> >>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>>>
> >>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>> MAC: F4469-010
> >>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>
> >>>>>> jonmcalexander@wellsfargo.com
> >>>>>> This message may contain confidential and/or privileged
> information.
> >>>>>> If you
> >>>>> are not the addressee or authorized to receive this for the
> >>>>> addressee, you must not use, copy, disclose, or take any action
> >>>>> based on this message or any information herein. If you have
> >>>>> received this message in error, please advise the sender
> >>>>> immediately by reply e-mail and delete this message. Thank you for
> >>>>> your cooperation.
> >>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>>>>> Sent: Friday, January 6, 2023 2:41 PM
> >>>>>>> To: users@tomcat.apache.org
> >>>>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>>>
> >>>>>>> Mark,
> >>>>>>>
> >>>>>>> On 1/6/23 15:00, Mark Thomas wrote:
> >>>>>>>> Hi Jon,
> >>>>>>>>
> >>>>>>>> In a word, no. Sorry.
> >>>>>>>>
> >>>>>>>> Some sort of info log message probably makes sense for this.
> >>>>>>>> SNI makes things a little more complicated but we should be
> >>>>>>>> able to do
> >>>>> something.
> >>>>>>>> What is the minimum info you'd like to see?
> >>>>>>>
> >>>>>>> How about adding a request attribute with some kind of
> >>>>>>> identifier (fpr?
> >>>>>>> serial-number?) in it and indicates at least which server-cert
> >>>>>>> was chosen.
> >>>>>>> Then it can trivially be added to e.g. access_log or even to
> >>>>>>> application code which wants to do custom logging.
> >>>>>>>
> >>>>>>> -chris
> >>>>>>>
> >>>>>>>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID
> >> wrote:
> >>>>>>>>> Good afternoon and Happy New Year,
> >>>>>>>>>
> >>>>>>>>> I know about the SSL debug logging, however, I'm checking to
> >>>>>>>>> see if there is any out-of-the-box option to capture in a log
> >>>>>>>>> which SSL certificate and trust keystore is being used during
> startup?
> >>>>>>>>>
> >>>>>>>>> Thanks,
> >>>>>>>>>
> >>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>>>>
> >>>>>>>>> Middleware Product Engineering Enterprise CIO | EAS |
> >>>>>>>>> Middleware | Infrastructure Solutions
> >>>>>>>>>
> >>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>>>>> MAC: F4469-010
> >>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>>
> >>
> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
> >>>>>>>>> This message may contain confidential and/or privileged
> >> information.
> >>>>>>>>> If you are not the addressee or authorized to receive this for
> >>>>>>>>> the addressee, you must not use, copy, disclose, or take any
> >>>>>>>>> action based on this message or any information herein. If you
> >>>>>>>>> have received this message in error, please advise the sender
> >>>>>>>>> immediately by reply e-mail and delete this message. Thank you
> >>>>>>>>> for
> >>>>> your cooperation.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> ---------------------------------------------------------------
> >>>>>>>> --
> >>>>>>>> ---
> >>>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>>>
> >>>>>>>
> >>>>>>> ----------------------------------------------------------------
> >>>>>>> --
> >>>>>>> --- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>
> >>>>>>
> >>>>>> -----------------------------------------------------------------
> >>>>>> --
> >>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>
> >>>>>
> >>>>> ------------------------------------------------------------------
> >>>>> --
> >>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>>> -------------------------------------------------------------------
> >>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>
> >>> --------------------------------------------------------------------
> >>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Mark Thomas <ma...@apache.org>.
On 16/02/2023 16:44, jonmcalexander@wellsfargo.com.INVALID wrote:
> Hi Mark!
>
> Thanks so much. Please provide the sample code. :-)
https://people.apache.org/~markt/dev/custom-certificate-debug-logs.txt
Enjoy.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
Hi Mark!
Thanks so much. Please provide the sample code. :-)
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Thursday, February 16, 2023 8:09 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> On 15/02/2023 23:03, Mark Thomas wrote:
> > On 15/02/2023 22:56, jonmcalexander@wellsfargo.com.INVALID wrote:
> >> They also had this question.
> >>
> >> There seems to be no need to print both TEXT and HEX representations,
> >> like below (just HEX string should be fine):
> >> KeyIdentifier [
> >> 0000: CD 35 CB AD 62 91 65 C4Â Â C5 46 C8 C3 0A C7 D3 57
> >> .5..b.e..F.....W
> >> 0010: 43 46 E8 FDÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â CF..
> >> ]
> >
> > That is just the way the toString() is written. Short of rewriting the
> > toString() method (which I am trying to avoid) I don't see a way to
> > address that.
>
> I ended up with the following:
>
> SHA-1 and SHA-256 fingerprints included before the main certificate info and
> X509Certificate.toString() used to provide the certificate info.
>
> I looked at rewriting the toString() but it would require a lot of effort (and
> volume of code).
>
> Given that different folks may want slightly different output, I opted to make
> it easier for folks to write and use custom endpoints. If you want to
> customise the output it is relatively simple to do. You need:
> - a custom endpoint
> - extends existing endpoint
> - override logCertificate() and/or generateCertificateDebug()
> - a custom protocol
> - extends matching protocol for endpoint
> - no-arg constructor needs to call super constructor with custom
> endpoint
>
> and you shouldn't need to recompile to move between Tomcat point
> releases.
>
> I can provide sample code if anyone wants to try this themselves and isn't
> sure where to start.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Mark Thomas <ma...@apache.org>.
On 15/02/2023 23:03, Mark Thomas wrote:
> On 15/02/2023 22:56, jonmcalexander@wellsfargo.com.INVALID wrote:
>> They also had this question.
>>
>> There seems to be no need to print both TEXT and HEX representations,
>> like below (just HEX string should be fine):
>> KeyIdentifier [
>> 0000: CD 35 CB AD 62 91 65 C4Â Â C5 46 C8 C3 0A C7 D3 57Â .5..b.e..F.....W
>> 0010: 43 46 E8 FDÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â CF..
>> ]
>
> That is just the way the toString() is written. Short of rewriting the
> toString() method (which I am trying to avoid) I don't see a way to
> address that.
I ended up with the following:
SHA-1 and SHA-256 fingerprints included before the main certificate info
and X509Certificate.toString() used to provide the certificate info.
I looked at rewriting the toString() but it would require a lot of
effort (and volume of code).
Given that different folks may want slightly different output, I opted
to make it easier for folks to write and use custom endpoints. If you
want to customise the output it is relatively simple to do. You need:
- a custom endpoint
- extends existing endpoint
- override logCertificate() and/or generateCertificateDebug()
- a custom protocol
- extends matching protocol for endpoint
- no-arg constructor needs to call super constructor with custom
endpoint
and you shouldn't need to recompile to move between Tomcat point releases.
I can provide sample code if anyone wants to try this themselves and
isn't sure where to start.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Mark Thomas <ma...@apache.org>.
On 15/02/2023 22:56, jonmcalexander@wellsfargo.com.INVALID wrote:
> They also had this question.
>
> There seems to be no need to print both TEXT and HEX representations, like below (just HEX string should be fine):
> KeyIdentifier [
> 0000: CD 35 CB AD 62 91 65 C4 C5 46 C8 C3 0A C7 D3 57 .5..b.e..F.....W
> 0010: 43 46 E8 FD CF..
> ]
That is just the way the toString() is written. Short of rewriting the
toString() method (which I am trying to avoid) I don't see a way to
address that.
Mark
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexander@wellsfargo.com
> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
>
>
>> -----Original Message-----
>> From: Mark Thomas <ma...@apache.org>
>> Sent: Wednesday, February 15, 2023 4:48 PM
>> To: users@tomcat.apache.org
>> Subject: Re: Basic SSL Certificate Usage logging
>>
>> On 15/02/2023 22:17, jonmcalexander@wellsfargo.com.INVALID wrote:
>>> Hi Mark,
>>>
>>> I got a big thumbs up from our team here. They did have 2 questions and of
>> course you can just tell us to go pound sand.
>>>
>>> 1. Can this be printed in JSON format, for easier parsing? (or even
>>> make it a config parameter – PLAIN / JSON / XML)
>>
>> Not without (a lot?) more work. Currently the code just does cert.toString().
>>
>>> 2. Is it possible to calculate and print the 2 default types of fingerprints that
>> modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?
>>
>> I should be able to do something for those. My preference would be to
>> provide the SHA256 fingerprint.
>>
>> Mark
>>
>>>
>>> As always THANK YOU!!!
>>>
>>> Dream * Excel * Explore * Inspire
>>> Jon McAlexander
>>> Senior Infrastructure Engineer
>>> Asst. Vice President
>>> He/His
>>>
>>> Middleware Product Engineering
>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>
>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>> MAC: F4469-010
>>> Tel 515-988-2508 | Cell 515-988-2508
>>>
>>> jonmcalexander@wellsfargo.com
>>> This message may contain confidential and/or privileged information. If you
>> are not the addressee or authorized to receive this for the addressee, you
>> must not use, copy, disclose, or take any action based on this message or any
>> information herein. If you have received this message in error, please advise
>> the sender immediately by reply e-mail and delete this message. Thank you
>> for your cooperation.
>>>
>>>
>>>> -----Original Message-----
>>>> From: Mark Thomas <ma...@apache.org>
>>>> Sent: Wednesday, February 15, 2023 2:17 PM
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>
>>>> On 10/02/2023 15:42, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>> Once again, Awesome Possum! You guys are the greatest!
>>>>
>>>> How about this? (uses the simple toString() approach)
>>>>
>>>>
>> https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert
>>>> -
>>>> log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
>>>> q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
>>>> fWzFlGBMzOf44iZI7_A$
>>>>
>>>> Enabled with:
>>>>
>>>> org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL
>>>>
>>>> in logging.properties
>>>>
>>>> (I tried pasting in-line but the line breaks in email mess up the
>>>> formatting)
>>>>
>>>> Mark
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
Clarification:
was:
KeyIdentifier [
0000: CD 35 CB AD 62 91 65 C4 C5 46 C8 C3 0A C7 D3 57 .5..b.e..F.....W
0010: 43 46 E8 FD CF..
]
should be:
CD35CBAD629165C4C546C8C30AC7D3574346E8FD
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: jonmcalexander@wellsfargo.com.INVALID
> <jo...@wellsfargo.com.INVALID>
> Sent: Wednesday, February 15, 2023 4:57 PM
> To: users@tomcat.apache.org
> Subject: RE: Basic SSL Certificate Usage logging
>
> They also had this question.
>
> There seems to be no need to print both TEXT and HEX representations, like
> below (just HEX string should be fine):
> KeyIdentifier [
> 0000: CD 35 CB AD 62 91 65 C4 C5 46 C8 C3 0A C7 D3 57 .5..b.e..F.....W
> 0010: 43 46 E8 FD CF..
> ]
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexander@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
>
>
> > -----Original Message-----
> > From: Mark Thomas <ma...@apache.org>
> > Sent: Wednesday, February 15, 2023 4:48 PM
> > To: users@tomcat.apache.org
> > Subject: Re: Basic SSL Certificate Usage logging
> >
> > On 15/02/2023 22:17, jonmcalexander@wellsfargo.com.INVALID wrote:
> > > Hi Mark,
> > >
> > > I got a big thumbs up from our team here. They did have 2 questions
> > > and of
> > course you can just tell us to go pound sand.
> > >
> > > 1. Can this be printed in JSON format, for easier parsing? (or even
> > > make it a config parameter – PLAIN / JSON / XML)
> >
> > Not without (a lot?) more work. Currently the code just does
> cert.toString().
> >
> > > 2. Is it possible to calculate and print the 2 default types of
> > > fingerprints that
> > modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?
> >
> > I should be able to do something for those. My preference would be to
> > provide the SHA256 fingerprint.
> >
> > Mark
> >
> > >
> > > As always THANK YOU!!!
> > >
> > > Dream * Excel * Explore * Inspire
> > > Jon McAlexander
> > > Senior Infrastructure Engineer
> > > Asst. Vice President
> > > He/His
> > >
> > > Middleware Product Engineering
> > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> > >
> > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > MAC: F4469-010
> > > Tel 515-988-2508 | Cell 515-988-2508
> > >
> > > jonmcalexander@wellsfargo.com
> > > This message may contain confidential and/or privileged information.
> > > If you
> > are not the addressee or authorized to receive this for the addressee,
> > you must not use, copy, disclose, or take any action based on this
> > message or any information herein. If you have received this message
> > in error, please advise the sender immediately by reply e-mail and
> > delete this message. Thank you for your cooperation.
> > >
> > >
> > >> -----Original Message-----
> > >> From: Mark Thomas <ma...@apache.org>
> > >> Sent: Wednesday, February 15, 2023 2:17 PM
> > >> To: users@tomcat.apache.org
> > >> Subject: Re: Basic SSL Certificate Usage logging
> > >>
> > >> On 10/02/2023 15:42, jonmcalexander@wellsfargo.com.INVALID wrote:
> > >>> Once again, Awesome Possum! You guys are the greatest!
> > >>
> > >> How about this? (uses the simple toString() approach)
> > >>
> > >>
> > https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert
> > >> -
> > >> log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
> > >> q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
> > >> fWzFlGBMzOf44iZI7_A$
> > >>
> > >> Enabled with:
> > >>
> > >> org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL
> > >>
> > >> in logging.properties
> > >>
> > >> (I tried pasting in-line but the line breaks in email mess up the
> > >> formatting)
> > >>
> > >> Mark
> > >>
> > >> -------------------------------------------------------------------
> > >> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > >> For additional commands, e-mail: users-help@tomcat.apache.org
> > >
> > >
> > > --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
They also had this question.
There seems to be no need to print both TEXT and HEX representations, like below (just HEX string should be fine):
KeyIdentifier [
0000: CD 35 CB AD 62 91 65 C4 C5 46 C8 C3 0A C7 D3 57 .5..b.e..F.....W
0010: 43 46 E8 FD CF..
]
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, February 15, 2023 4:48 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> On 15/02/2023 22:17, jonmcalexander@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > I got a big thumbs up from our team here. They did have 2 questions and of
> course you can just tell us to go pound sand.
> >
> > 1. Can this be printed in JSON format, for easier parsing? (or even
> > make it a config parameter – PLAIN / JSON / XML)
>
> Not without (a lot?) more work. Currently the code just does cert.toString().
>
> > 2. Is it possible to calculate and print the 2 default types of fingerprints that
> modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?
>
> I should be able to do something for those. My preference would be to
> provide the SHA256 fingerprint.
>
> Mark
>
> >
> > As always THANK YOU!!!
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexander@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -----Original Message-----
> >> From: Mark Thomas <ma...@apache.org>
> >> Sent: Wednesday, February 15, 2023 2:17 PM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/02/2023 15:42, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>> Once again, Awesome Possum! You guys are the greatest!
> >>
> >> How about this? (uses the simple toString() approach)
> >>
> >>
> https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert
> >> -
> >> log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
> >> q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
> >> fWzFlGBMzOf44iZI7_A$
> >>
> >> Enabled with:
> >>
> >> org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL
> >>
> >> in logging.properties
> >>
> >> (I tried pasting in-line but the line breaks in email mess up the
> >> formatting)
> >>
> >> Mark
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Mark Thomas <ma...@apache.org>.
On 15/02/2023 22:17, jonmcalexander@wellsfargo.com.INVALID wrote:
> Hi Mark,
>
> I got a big thumbs up from our team here. They did have 2 questions and of course you can just tell us to go pound sand.
>
> 1. Can this be printed in JSON format, for easier parsing? (or even make it a config parameter – PLAIN / JSON / XML)
Not without (a lot?) more work. Currently the code just does
cert.toString().
> 2. Is it possible to calculate and print the 2 default types of fingerprints that modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?
I should be able to do something for those. My preference would be to
provide the SHA256 fingerprint.
Mark
>
> As always THANK YOU!!!
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexander@wellsfargo.com
> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
>
>
>> -----Original Message-----
>> From: Mark Thomas <ma...@apache.org>
>> Sent: Wednesday, February 15, 2023 2:17 PM
>> To: users@tomcat.apache.org
>> Subject: Re: Basic SSL Certificate Usage logging
>>
>> On 10/02/2023 15:42, jonmcalexander@wellsfargo.com.INVALID wrote:
>>> Once again, Awesome Possum! You guys are the greatest!
>>
>> How about this? (uses the simple toString() approach)
>>
>> https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert-
>> log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
>> q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
>> fWzFlGBMzOf44iZI7_A$
>>
>> Enabled with:
>>
>> org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL
>>
>> in logging.properties
>>
>> (I tried pasting in-line but the line breaks in email mess up the
>> formatting)
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
Hi Mark,
I got a big thumbs up from our team here. They did have 2 questions and of course you can just tell us to go pound sand.
1. Can this be printed in JSON format, for easier parsing? (or even make it a config parameter – PLAIN / JSON / XML)
2. Is it possible to calculate and print the 2 default types of fingerprints that modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?
As always THANK YOU!!!
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, February 15, 2023 2:17 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> On 10/02/2023 15:42, jonmcalexander@wellsfargo.com.INVALID wrote:
> > Once again, Awesome Possum! You guys are the greatest!
>
> How about this? (uses the simple toString() approach)
>
> https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert-
> log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
> q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
> fWzFlGBMzOf44iZI7_A$
>
> Enabled with:
>
> org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL
>
> in logging.properties
>
> (I tried pasting in-line but the line breaks in email mess up the
> formatting)
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
Thanks Mark. I'm checking with the requestor on my end.
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, February 15, 2023 2:17 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> On 10/02/2023 15:42, jonmcalexander@wellsfargo.com.INVALID wrote:
> > Once again, Awesome Possum! You guys are the greatest!
>
> How about this? (uses the simple toString() approach)
>
> https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert-
> log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
> q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
> fWzFlGBMzOf44iZI7_A$
>
> Enabled with:
>
> org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL
>
> in logging.properties
>
> (I tried pasting in-line but the line breaks in email mess up the
> formatting)
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Mark Thomas <ma...@apache.org>.
On 10/02/2023 15:42, jonmcalexander@wellsfargo.com.INVALID wrote:
> Once again, Awesome Possum! You guys are the greatest!
How about this? (uses the simple toString() approach)
https://people.apache.org/~markt/dev/cert-log-example.txt
Enabled with:
org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL
in logging.properties
(I tried pasting in-line but the line breaks in email mess up the
formatting)
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
Once again, Awesome Possum! You guys are the greatest!
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Friday, February 10, 2023 4:31 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> On 09/02/2023 19:49, Christopher Schultz wrote:
> > Jon,
> >
> > On 2/9/23 11:39, jonmcalexander@wellsfargo.com.INVALID wrote:
> >> My thinking is that the teams requesting that I look into if this is
> >> possible or not would prefer to be able to get the more detailed
> >> information if possible. How much extra work is required to have a
> >> dedicated logger for it, as well as keeping the current message in
> >> the current logging?
> > It shouldn't be that much work, but it is a lot of output.
>
> +1
>
> > Mark, isn't this already a dedicated logger?
> >
> > org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
>
> Unfortunately not. That is the method name.
>
> > +1 to using the log-level as the arbiter for, well, how much logging
> > +to
> > do. :)
>
> :)
>
> I'll try and get this done in time for the next release round.
>
> Mark
>
> >
> > -chris
> >
> >>> -----Original Message-----
> >>> From: Mark Thomas <ma...@apache.org>
> >>> Sent: Thursday, February 9, 2023 3:24 AM
> >>> To: users@tomcat.apache.org
> >>> Subject: Re: Basic SSL Certificate Usage logging
> >>>
> >>> Hi Jon,
> >>>
> >>> The current message looks like this:
> >>>
> >>> 09-Feb-2023 09:09:53.939 INFO [main]
> >>> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector
> >>> [https-
> >>> jsse-nio-8443], TLS virtual host [_default_], certificate type [RSA]
> >>> configured from [conf/localhost-rsa.jks] using alias [tomcat] and
> >>> with trust store [null]
> >>>
> >>> The intention is to make clear, for each configured server
> >>> certificate, which configuration files are being used. The idea
> >>> being that you can then examine the relevant files if there is an
> >>> issue.
> >>>
> >>> There is a balance to strike in terms of providing useful detail and
> >>> providing too much detail in the default logs. Everything below
> >>> feels like too much detail.
> >>>
> >>> One option would be to switch this message to a dedicated logger and
> >>> then provide more/all details if debug logging is enabled. Moving
> >>> this to a dedicated logger would allow debug logging to be enabled
> >>> for that logger without changing the logging for the entire
> >>> endpoint.
> >>>
> >>> Mark
> >>>
> >>>
> >>> On 08/02/2023 18:36, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>> Hi Mark,
> >>>>
> >>>> As a follow-up, some of my compatriots are asking if we can get all
> >>>> or some
> >>> of these details in the log as well? Wanted to ask early if possible.
> >>>>
> >>>> •   Subject
> >>>> o   Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells
> >>> Fargo,C=US
> >>>> o   Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
> o   Ex:
> >>>> CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells
> >>> Fargo,C=US
> >>>> •   SAN (aka Subject Alternative Names) o   Ex:
> >>>> DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
> >>>> o   Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
> >>>> o   Ex:
> >>>
> EMAIL:some.name@wellsfargo.com;EMAIL:some.name.alt@wellsfargo.com
> >>>> •   Issuer
> >>>> o   Ex: CN=Wells Fargo Enterprise Certification Authority 05-2
> >>> G2,OU=Wells Fargo Certification Authorities,O=Wells Fargo,C=US
> >>>> •   ValidFrom (aka NotBefore)
> >>>> o   Ex: 2022-05-18T05:09:27Z
> >>>> •   ValidTo (aka NotAfter)
> >>>> o   Ex: 2024-05-17T05:09:27Z
> >>>> •   KeyUsage
> >>>> o   Ex: Digital Signature, Key Encipherment, Data Encipherment •
> >>>> KeyUsageExtended o   Ex: Client Authentication
> >>>> (1.3.6.1.5.5.7.3.2), Server Authentication
> >>> (1.3.6.1.5.5.7.3.1)
> >>>> •   SerialNumber
> >>>> o   Ex: 6a0006e41935f80460711c187000000006e419
> >>>> •   FingerprintSHA1 (aka Thumbprint) o   Ex:
> >>>> 679323d7dcc9307d8696a88e0f1a8d4069a412b6
> >>>> •   FingerprintSHA256
> >>>> o   Ex:
> >>>
> DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4
> >>> E41
> >>>> •   PublicKeyAlgo
> >>>> o   Ex: RSA
> >>>> o   Ex: ECDSA
> >>>> •   PublicKeySize
> >>>> o   Ex: 2048
> >>>> o   Ex: P-256
> >>>>
> >>>> Thank you,
> >>>>
> >>>> Dream * Excel * Explore * Inspire
> >>>> Jon McAlexander
> >>>> Senior Infrastructure Engineer
> >>>> Asst. Vice President
> >>>> He/His
> >>>>
> >>>> Middleware Product Engineering
> >>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>
> >>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>> MAC: F4469-010
> >>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>
> >>>> jonmcalexander@wellsfargo.com
> >>>> This message may contain confidential and/or privileged information.
> >>>> If you
> >>> are not the addressee or authorized to receive this for the
> >>> addressee, you must not use, copy, disclose, or take any action
> >>> based on this message or any information herein. If you have
> >>> received this message in error, please advise the sender immediately
> >>> by reply e-mail and delete this message. Thank you for your
> >>> cooperation.
> >>>>
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: Mark Thomas <ma...@apache.org>
> >>>>> Sent: Wednesday, February 8, 2023 10:37 AM
> >>>>> To: users@tomcat.apache.org
> >>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>
> >>>>> On 08/02/2023 16:24, jonmcalexander@wellsfargo.com.INVALID
> wrote:
> >>>>>> Hi Mark,
> >>>>>>
> >>>>>> So, is this something that can/will be added in the future? I
> >>>>>> tested my
> >>>>> thought of setting the java logging.properties to a specific file
> >>>>> in the command line but it didn't do what I had hoped.
> >>>>>
> >>>>> Already added. Will be in the next round of releases.
> >>>>>
> >>>>> Mark
> >>>>>
> >>>>>
> >>>>>>
> >>>>>> Thanks,
> >>>>>>
> >>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>
> >>>>>> Middleware Product Engineering
> >>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>>>
> >>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>> MAC: F4469-010
> >>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>
> >>>>>> jonmcalexander@wellsfargo.com
> >>>>>> This message may contain confidential and/or privileged
> information.
> >>>>>> If you
> >>>>> are not the addressee or authorized to receive this for the
> >>>>> addressee, you must not use, copy, disclose, or take any action
> >>>>> based on this message or any information herein. If you have
> >>>>> received this message in error, please advise the sender
> >>>>> immediately by reply e-mail and delete this message. Thank you for
> your cooperation.
> >>>>>>
> >>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: Mark Thomas <ma...@apache.org>
> >>>>>>> Sent: Tuesday, January 10, 2023 8:23 AM
> >>>>>>> To: users@tomcat.apache.org
> >>>>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>>>
> >>>>>>> On 10/01/2023 13:52, Christopher Schultz wrote:
> >>>>>>>> Jon,
> >>>>>>>>
> >>>>>>>> On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID
> wrote:
> >>>>>>>>> Yes Chris, It's just for during startup. For a particular
> >>>>>>>>> instance I would like to capture the Certificate Info and
> >>>>>>>>> Truststore being used and pipe that into a separate log/txt file.
> >>>>>>>> So it sounds like just dumping-out the configured certificates,
> >>>>>>>> etc.
> >>>>>>>> to something like the debug log from Connector or SSLHostConfig
> >>>>>>>> or similar would work?
> >>>>>>>>
> >>>>>>>> Or would you want that information available to the application
> >>>>>>>> so you can log it in some very specific way? Note that you can
> >>>>>>>> already get the SSLHostConfig info via JMX if you are willing
> >>>>>>>> to do that.
> >>>>>>>
> >>>>>>> How about something like this:
> >>>>>>>
> >>>>>>> 10-Jan-2023 14:21:07.951 INFO [main]
> >>>>>>> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> >>>>>>> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate
> >>>>>>> type [RSA] configured from [conf/localhost-rsa.jks] using alias
> >>>>>>> [null] and with trust store [null]
> >>>>>>>
> >>>>>>> ?
> >>>>>>>
> >>>>>>> Mark
> >>>>>>>
> >>>>>>>>
> >>>>>>>> -chris
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Thanks,
> >>>>>>>>>
> >>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>>>>
> >>>>>>>>> Middleware Product Engineering Enterprise CIO | EAS |
> >>>>>>>>> Middleware | Infrastructure Solutions
> >>>>>>>>>
> >>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>>>>> MAC: F4469-010
> >>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>>>>
> >>>>>>>>> jonmcalexander@wellsfargo.com
> >>>>>>>>> This message may contain confidential and/or privileged
> >>> information.
> >>>>>>>>> If you are not the addressee or authorized to receive this for
> >>>>>>>>> the addressee, you must not use, copy, disclose, or take any
> >>>>>>>>> action based on this message or any information herein. If you
> >>>>>>>>> have received this message in error, please advise the sender
> >>>>>>>>> immediately by reply e-mail and delete this message. Thank you
> >>>>>>>>> for
> >>>>> your cooperation.
> >>>>>>>>>
> >>>>>>>>>> -----Original Message-----
> >>>>>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>>>>>>>> Sent: Monday, January 9, 2023 8:10 AM
> >>>>>>>>>> To: users@tomcat.apache.org
> >>>>>>>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>>>>>>
> >>>>>>>>>> Jon,
> >>>>>>>>>>
> >>>>>>>>>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID
> wrote:
> >>>>>>>>>>> Thanks for the info.
> >>>>>>>>>>>
> >>>>>>>>>>> In a nutshell I think the certpath,provider would be sufficient.
> >>>>>>>>>>> I'm thinking that I can add this to the java options as
> >>>>>>>>>>> -Djava.security.debug=ssl:certpath,provider however I don't
> >>>>>>>>>>> know how to specify where to log the information.
> >>>>>>>>>> java.security.debug is really a blunt instrument. It's
> >>>>>>>>>> unfortunate that it's one of the only ways to get information
> >>>>>>>>>> out of the TLS stack. It would have been great if Java had
> >>>>>>>>>> started using its own logging system once it was introduced,
> >>>>>>>>>> but no.
> >>>>>>>>>>
> >>>>>>>>>> That debugging tool always dumps to stdout (or stderr?) and
> >>>>>>>>>> you have very little control over where it goes.
> >>>>>>>>>>
> >>>>>>>>>> You would never want to use it for ongoing logging. It truly
> >>>>>>>>>> is for
> >>>>>>>>>> debugging-
> >>>>>>>>>> only.
> >>>>>>>>>>
> >>>>>>>>>> The good news is that application code should be able to get
> >>>>>>>>>> the information you are looking for.
> >>>>>>>>>>
> >>>>>>>>>> Oh, wait...
> >>>>>>>>>>
> >>>>>>>>>>> [...] I'm checking to see if there is any out-of-the-box
> >>>>>>>>>>> option to capture in a log which SSL certificate and trust
> >>>>>>>>>>> keystore is being used during startup?
> >>>>>>>>>> What do you mean "during startup"? I originally read that as
> >>>>>>>>>> "for incoming connections" thinking that you wanted to log
> >>>>>>>>>> which cert was used for a particular request. But it sounds
> >>>>>>>>>> like maybe you are asking for something to just be logged
> >>>>>>>>>> one-time during
> >>> startup?
> >>>>>>>>>>
> >>>>>>>>>> -chris
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> Thanks,
> >>>>>>>>>>>
> >>>>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>>>>>>
> >>>>>>>>>>> Middleware Product Engineering Enterprise CIO | EAS |
> >>>>>>>>>>> Middleware | Infrastructure Solutions
> >>>>>>>>>>>
> >>>>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>>>>>>> MAC: F4469-010
> >>>>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>>>>>>
> >>>>>>>>>>> jonmcalexander@wellsfargo.com This message may contain
> >>>>>>>>>>> confidential and/or privileged
> >>>>> information.
> >>>>>>>>>>> If you
> >>>>>>>>>> are not the addressee or authorized to receive this for the
> >>>>>>>>>> addressee, you must not use, copy, disclose, or take any
> >>>>>>>>>> action based on this message or any information herein. If
> >>>>>>>>>> you have received this message in error, please advise the
> >>>>>>>>>> sender immediately by reply e-mail and delete this message.
> >>>>>>>>>> Thank you for your cooperation.
> >>>>>>>>>>>
> >>>>>>>>>>>> -----Original Message-----
> >>>>>>>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>>>>>>>>>> Sent: Friday, January 6, 2023 2:41 PM
> >>>>>>>>>>>> To: users@tomcat.apache.org
> >>>>>>>>>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>>>>>>>>
> >>>>>>>>>>>> Mark,
> >>>>>>>>>>>>
> >>>>>>>>>>>> On 1/6/23 15:00, Mark Thomas wrote:
> >>>>>>>>>>>>> Hi Jon,
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> In a word, no. Sorry.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Some sort of info log message probably makes sense for
> this.
> >>>>>>>>>>>>> SNI makes things a little more complicated but we should
> >>>>>>>>>>>>> be able to do
> >>>>>>>>>> something.
> >>>>>>>>>>>>> What is the minimum info you'd like to see?
> >>>>>>>>>>>>
> >>>>>>>>>>>> How about adding a request attribute with some kind of
> >>>>>>>>>>>> identifier (fpr?
> >>>>>>>>>>>> serial-number?) in it and indicates at least which
> >>>>>>>>>>>> server-cert was chosen.
> >>>>>>>>>>>> Then it can trivially be added to e.g. access_log or even
> >>>>>>>>>>>> to application code which wants to do custom logging.
> >>>>>>>>>>>>
> >>>>>>>>>>>> -chris
> >>>>>>>>>>>>
> >>>>>>>>>>>>> On 06/01/2023 18:52,
> >>> jonmcalexander@wellsfargo.com.INVALID
> >>>>>>> wrote:
> >>>>>>>>>>>>>> Good afternoon and Happy New Year,
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> I know about the SSL debug logging, however, I'm
> checking
> >>>>>>>>>>>>>> to see if there is any out-of-the-box option to capture
> >>>>>>>>>>>>>> in a log which SSL certificate and trust keystore is
> >>>>>>>>>>>>>> being used during
> >>>>> startup?
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Thanks,
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>>>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Middleware Product Engineering Enterprise CIO | EAS |
> >>>>>>>>>>>>>> Middleware | Infrastructure Solutions
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>>>>>>>>>> MAC: F4469-010
> >>>>>>>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>
> >>>>>
> >>>
> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
> >>>>>>>>>>>>>> This message may contain confidential and/or privileged
> >>>>>>> information.
> >>>>>>>>>>>>>> If you are not the addressee or authorized to receive
> >>>>>>>>>>>>>> this for the addressee, you must not use, copy, disclose,
> >>>>>>>>>>>>>> or take any action based on this message or any
> information herein.
> >>>>>>>>>>>>>> If you have received this message in error, please advise
> >>>>>>>>>>>>>> the sender immediately by reply e-mail and delete this
> >>>>>>>>>>>>>> message. Thank you for
> >>>>>>>>>> your cooperation.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> ----------------------------------------------------------
> >>>>>>>>>>>>> ---
> >>>>>>>>>>>>> --
> >>>>>>>>>>>>> --
> >>>>>>>>>>>>> ---
> >>>>>>>>>>>>> - To unsubscribe, e-mail: users-
> >>> unsubscribe@tomcat.apache.org
> >>>>>>>>>>>>> For additional commands, e-mail: users-
> >>> help@tomcat.apache.org
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> -----------------------------------------------------------
> >>>>>>>>>>>> ---
> >>>>>>>>>>>> --
> >>>>>>>>>>>> --
> >>>>>>>>>>>> --- To unsubscribe, e-mail:
> >>>>>>>>>>>> users-unsubscribe@tomcat.apache.org
> >>>>>>>>>>>> For additional commands, e-mail: users-
> >>> help@tomcat.apache.org
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> ------------------------------------------------------------
> >>>>>>>>>>> ---
> >>>>>>>>>>> --
> >>>>>>>>>>> --
> >>>>>>>>>>> -- To unsubscribe, e-mail:
> >>>>>>>>>>> users-unsubscribe@tomcat.apache.org
> >>>>>>>>>>> For additional commands, e-mail:
> >>>>>>>>>>> users-help@tomcat.apache.org
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> -------------------------------------------------------------
> >>>>>>>>>> ---
> >>>>>>>>>> --
> >>>>>>>>>> --
> >>>>>>>>>> - To unsubscribe, e-mail: users-
> unsubscribe@tomcat.apache.org
> >>>>>>>>>> For additional commands, e-mail: users-
> help@tomcat.apache.org
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --------------------------------------------------------------
> >>>>>>>>> ---
> >>>>>>>>> --
> >>>>>>>>> -- To unsubscribe, e-mail: users-
> unsubscribe@tomcat.apache.org
> >>>>>>>>> For additional commands, e-mail: users-
> help@tomcat.apache.org
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> ---------------------------------------------------------------
> >>>>>>>> ---
> >>>>>>>> --
> >>>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>>>
> >>>>>>>
> >>>>>>> ----------------------------------------------------------------
> >>>>>>> ---
> >>>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>
> >>>>>>
> >>>>>> -----------------------------------------------------------------
> >>>>>> ---
> >>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>
> >>>>>
> >>>>> ------------------------------------------------------------------
> >>>>> --- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>>> -------------------------------------------------------------------
> >>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>
> >>> --------------------------------------------------------------------
> >>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Mark Thomas <ma...@apache.org>.
On 09/02/2023 19:49, Christopher Schultz wrote:
> Jon,
>
> On 2/9/23 11:39, jonmcalexander@wellsfargo.com.INVALID wrote:
>> My thinking is that the teams requesting that I look into if this is
>> possible or not would prefer to be able to get the more detailed
>> information if possible. How much extra work is required to have a
>> dedicated logger for it, as well as keeping the current message in
>> the current logging?
> It shouldn't be that much work, but it is a lot of output.
+1
> Mark, isn't this already a dedicated logger?
>
> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
Unfortunately not. That is the method name.
> +1 to using the log-level as the arbiter for, well, how much logging to
> do. :)
:)
I'll try and get this done in time for the next release round.
Mark
>
> -chris
>
>>> -----Original Message-----
>>> From: Mark Thomas <ma...@apache.org>
>>> Sent: Thursday, February 9, 2023 3:24 AM
>>> To: users@tomcat.apache.org
>>> Subject: Re: Basic SSL Certificate Usage logging
>>>
>>> Hi Jon,
>>>
>>> The current message looks like this:
>>>
>>> 09-Feb-2023 09:09:53.939 INFO [main]
>>> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector
>>> [https-
>>> jsse-nio-8443], TLS virtual host [_default_], certificate type [RSA]
>>> configured
>>> from [conf/localhost-rsa.jks] using alias [tomcat] and with trust
>>> store [null]
>>>
>>> The intention is to make clear, for each configured server
>>> certificate, which
>>> configuration files are being used. The idea being that you can then
>>> examine
>>> the relevant files if there is an issue.
>>>
>>> There is a balance to strike in terms of providing useful detail and
>>> providing
>>> too much detail in the default logs. Everything below feels like too
>>> much
>>> detail.
>>>
>>> One option would be to switch this message to a dedicated logger and
>>> then
>>> provide more/all details if debug logging is enabled. Moving this to a
>>> dedicated logger would allow debug logging to be enabled for that logger
>>> without changing the logging for the entire endpoint.
>>>
>>> Mark
>>>
>>>
>>> On 08/02/2023 18:36, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>> Hi Mark,
>>>>
>>>> As a follow-up, some of my compatriots are asking if we can get all
>>>> or some
>>> of these details in the log as well? Wanted to ask early if possible.
>>>>
>>>> •   Subject
>>>> o   Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells
>>> Fargo,C=US
>>>> o   Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
>>>> o   Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells
>>> Fargo,C=US
>>>> •   SAN (aka Subject Alternative Names)
>>>> o   Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
>>>> o   Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
>>>> o   Ex:
>>> EMAIL:some.name@wellsfargo.com;EMAIL:some.name.alt@wellsfargo.com
>>>> •   Issuer
>>>> o   Ex: CN=Wells Fargo Enterprise Certification Authority 05-2
>>> G2,OU=Wells Fargo Certification Authorities,O=Wells Fargo,C=US
>>>> •   ValidFrom (aka NotBefore)
>>>> o   Ex: 2022-05-18T05:09:27Z
>>>> •   ValidTo (aka NotAfter)
>>>> o   Ex: 2024-05-17T05:09:27Z
>>>> •   KeyUsage
>>>> o   Ex: Digital Signature, Key Encipherment, Data Encipherment
>>>> •   KeyUsageExtended
>>>> o   Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server
>>>> Authentication
>>> (1.3.6.1.5.5.7.3.1)
>>>> •   SerialNumber
>>>> o   Ex: 6a0006e41935f80460711c187000000006e419
>>>> •   FingerprintSHA1 (aka Thumbprint)
>>>> o   Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
>>>> •   FingerprintSHA256
>>>> o   Ex:
>>> DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4
>>> E41
>>>> •   PublicKeyAlgo
>>>> o   Ex: RSA
>>>> o   Ex: ECDSA
>>>> •   PublicKeySize
>>>> o   Ex: 2048
>>>> o   Ex: P-256
>>>>
>>>> Thank you,
>>>>
>>>> Dream * Excel * Explore * Inspire
>>>> Jon McAlexander
>>>> Senior Infrastructure Engineer
>>>> Asst. Vice President
>>>> He/His
>>>>
>>>> Middleware Product Engineering
>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>
>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>> MAC: F4469-010
>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>
>>>> jonmcalexander@wellsfargo.com
>>>> This message may contain confidential and/or privileged information.
>>>> If you
>>> are not the addressee or authorized to receive this for the
>>> addressee, you
>>> must not use, copy, disclose, or take any action based on this
>>> message or any
>>> information herein. If you have received this message in error,
>>> please advise
>>> the sender immediately by reply e-mail and delete this message. Thank
>>> you
>>> for your cooperation.
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Mark Thomas <ma...@apache.org>
>>>>> Sent: Wednesday, February 8, 2023 10:37 AM
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>>
>>>>> On 08/02/2023 16:24, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>>> Hi Mark,
>>>>>>
>>>>>> So, is this something that can/will be added in the future? I tested
>>>>>> my
>>>>> thought of setting the java logging.properties to a specific file in
>>>>> the command line but it didn't do what I had hoped.
>>>>>
>>>>> Already added. Will be in the next round of releases.
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Dream * Excel * Explore * Inspire
>>>>>> Jon McAlexander
>>>>>> Senior Infrastructure Engineer
>>>>>> Asst. Vice President
>>>>>> He/His
>>>>>>
>>>>>> Middleware Product Engineering
>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>>
>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>> MAC: F4469-010
>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>
>>>>>> jonmcalexander@wellsfargo.com
>>>>>> This message may contain confidential and/or privileged information.
>>>>>> If you
>>>>> are not the addressee or authorized to receive this for the
>>>>> addressee, you must not use, copy, disclose, or take any action based
>>>>> on this message or any information herein. If you have received this
>>>>> message in error, please advise the sender immediately by reply
>>>>> e-mail and delete this message. Thank you for your cooperation.
>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Mark Thomas <ma...@apache.org>
>>>>>>> Sent: Tuesday, January 10, 2023 8:23 AM
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>>>>
>>>>>>> On 10/01/2023 13:52, Christopher Schultz wrote:
>>>>>>>> Jon,
>>>>>>>>
>>>>>>>> On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>>>>>> Yes Chris, It's just for during startup. For a particular
>>>>>>>>> instance I would like to capture the Certificate Info and
>>>>>>>>> Truststore being used and pipe that into a separate log/txt file.
>>>>>>>> So it sounds like just dumping-out the configured certificates,
>>>>>>>> etc.
>>>>>>>> to something like the debug log from Connector or SSLHostConfig or
>>>>>>>> similar would work?
>>>>>>>>
>>>>>>>> Or would you want that information available to the application so
>>>>>>>> you can log it in some very specific way? Note that you can
>>>>>>>> already get the SSLHostConfig info via JMX if you are willing to
>>>>>>>> do that.
>>>>>>>
>>>>>>> How about something like this:
>>>>>>>
>>>>>>> 10-Jan-2023 14:21:07.951 INFO [main]
>>>>>>> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
>>>>>>> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate
>>>>>>> type [RSA] configured from [conf/localhost-rsa.jks] using alias
>>>>>>> [null] and with trust store [null]
>>>>>>>
>>>>>>> ?
>>>>>>>
>>>>>>> Mark
>>>>>>>
>>>>>>>>
>>>>>>>> -chris
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
>>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
>>>>>>>>>
>>>>>>>>> Middleware Product Engineering
>>>>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>>>>>
>>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>>>>> MAC: F4469-010
>>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>>>>
>>>>>>>>> jonmcalexander@wellsfargo.com
>>>>>>>>> This message may contain confidential and/or privileged
>>> information.
>>>>>>>>> If you are not the addressee or authorized to receive this for
>>>>>>>>> the addressee, you must not use, copy, disclose, or take any
>>>>>>>>> action based on this message or any information herein. If you
>>>>>>>>> have received this message in error, please advise the sender
>>>>>>>>> immediately by reply e-mail and delete this message. Thank you
>>>>>>>>> for
>>>>> your cooperation.
>>>>>>>>>
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>>>>>>>> Sent: Monday, January 9, 2023 8:10 AM
>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>>>>>>>
>>>>>>>>>> Jon,
>>>>>>>>>>
>>>>>>>>>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>>>>>>>> Thanks for the info.
>>>>>>>>>>>
>>>>>>>>>>> In a nutshell I think the certpath,provider would be sufficient.
>>>>>>>>>>> I'm thinking that I can add this to the java options as
>>>>>>>>>>> -Djava.security.debug=ssl:certpath,provider however I don't
>>>>>>>>>>> know how to specify where to log the information.
>>>>>>>>>> java.security.debug is really a blunt instrument. It's
>>>>>>>>>> unfortunate that it's one of the only ways to get information
>>>>>>>>>> out of the TLS stack. It would have been great if Java had
>>>>>>>>>> started using its own logging system once it was introduced,
>>>>>>>>>> but no.
>>>>>>>>>>
>>>>>>>>>> That debugging tool always dumps to stdout (or stderr?) and you
>>>>>>>>>> have very little control over where it goes.
>>>>>>>>>>
>>>>>>>>>> You would never want to use it for ongoing logging. It truly is
>>>>>>>>>> for
>>>>>>>>>> debugging-
>>>>>>>>>> only.
>>>>>>>>>>
>>>>>>>>>> The good news is that application code should be able to get the
>>>>>>>>>> information you are looking for.
>>>>>>>>>>
>>>>>>>>>> Oh, wait...
>>>>>>>>>>
>>>>>>>>>>> [...] I'm checking to see if there is any out-of-the-box option
>>>>>>>>>>> to capture in a log which SSL certificate and trust keystore is
>>>>>>>>>>> being used during startup?
>>>>>>>>>> What do you mean "during startup"? I originally read that as
>>>>>>>>>> "for incoming connections" thinking that you wanted to log which
>>>>>>>>>> cert was used for a particular request. But it sounds like maybe
>>>>>>>>>> you are asking for something to just be logged one-time during
>>> startup?
>>>>>>>>>>
>>>>>>>>>> -chris
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>>
>>>>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
>>>>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
>>>>>>>>>>>
>>>>>>>>>>> Middleware Product Engineering
>>>>>>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>>>>>>>
>>>>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>>>>>>> MAC: F4469-010
>>>>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>>>>>>
>>>>>>>>>>> jonmcalexander@wellsfargo.com
>>>>>>>>>>> This message may contain confidential and/or privileged
>>>>> information.
>>>>>>>>>>> If you
>>>>>>>>>> are not the addressee or authorized to receive this for the
>>>>>>>>>> addressee, you must not use, copy, disclose, or take any action
>>>>>>>>>> based on this message or any information herein. If you have
>>>>>>>>>> received this message in error, please advise the sender
>>>>>>>>>> immediately by reply e-mail and delete this message. Thank you
>>>>>>>>>> for your cooperation.
>>>>>>>>>>>
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>>>>>>>>>> Sent: Friday, January 6, 2023 2:41 PM
>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>>>>>>>>>
>>>>>>>>>>>> Mark,
>>>>>>>>>>>>
>>>>>>>>>>>> On 1/6/23 15:00, Mark Thomas wrote:
>>>>>>>>>>>>> Hi Jon,
>>>>>>>>>>>>>
>>>>>>>>>>>>> In a word, no. Sorry.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Some sort of info log message probably makes sense for this.
>>>>>>>>>>>>> SNI makes things a little more complicated but we should be
>>>>>>>>>>>>> able to do
>>>>>>>>>> something.
>>>>>>>>>>>>> What is the minimum info you'd like to see?
>>>>>>>>>>>>
>>>>>>>>>>>> How about adding a request attribute with some kind of
>>>>>>>>>>>> identifier (fpr?
>>>>>>>>>>>> serial-number?) in it and indicates at least which server-cert
>>>>>>>>>>>> was chosen.
>>>>>>>>>>>> Then it can trivially be added to e.g. access_log or even to
>>>>>>>>>>>> application code which wants to do custom logging.
>>>>>>>>>>>>
>>>>>>>>>>>> -chris
>>>>>>>>>>>>
>>>>>>>>>>>>> On 06/01/2023 18:52,
>>> jonmcalexander@wellsfargo.com.INVALID
>>>>>>> wrote:
>>>>>>>>>>>>>> Good afternoon and Happy New Year,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I know about the SSL debug logging, however, I'm checking to
>>>>>>>>>>>>>> see if there is any out-of-the-box option to capture in a
>>>>>>>>>>>>>> log which SSL certificate and trust keystore is being used
>>>>>>>>>>>>>> during
>>>>> startup?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
>>>>>>>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Middleware Product Engineering Enterprise CIO | EAS |
>>>>>>>>>>>>>> Middleware | Infrastructure Solutions
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>>>>>>>>>> MAC: F4469-010
>>>>>>>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>
>>>>>
>>> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
>>>>>>>>>>>>>> This message may contain confidential and/or privileged
>>>>>>> information.
>>>>>>>>>>>>>> If you are not the addressee or authorized to receive this
>>>>>>>>>>>>>> for the addressee, you must not use, copy, disclose, or take
>>>>>>>>>>>>>> any action based on this message or any information herein.
>>>>>>>>>>>>>> If you have received this message in error, please advise
>>>>>>>>>>>>>> the sender immediately by reply e-mail and delete this
>>>>>>>>>>>>>> message. Thank you for
>>>>>>>>>> your cooperation.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -------------------------------------------------------------
>>>>>>>>>>>>> --
>>>>>>>>>>>>> --
>>>>>>>>>>>>> ---
>>>>>>>>>>>>> - To unsubscribe, e-mail: users-
>>> unsubscribe@tomcat.apache.org
>>>>>>>>>>>>> For additional commands, e-mail: users-
>>> help@tomcat.apache.org
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --------------------------------------------------------------
>>>>>>>>>>>> --
>>>>>>>>>>>> --
>>>>>>>>>>>> --- To unsubscribe, e-mail:
>>>>>>>>>>>> users-unsubscribe@tomcat.apache.org
>>>>>>>>>>>> For additional commands, e-mail: users-
>>> help@tomcat.apache.org
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>> --
>>>>>>>>>>> --
>>>>>>>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ----------------------------------------------------------------
>>>>>>>>>> --
>>>>>>>>>> --
>>>>>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -----------------------------------------------------------------
>>>>>>>>> --
>>>>>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------------
>>>>>>>> --
>>>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>>
>>>>>>> -------------------------------------------------------------------
>>>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>>>> --------------------------------------------------------------------
>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jon,
On 2/9/23 11:39, jonmcalexander@wellsfargo.com.INVALID wrote:
> My thinking is that the teams requesting that I look into if this is
> possible or not would prefer to be able to get the more detailed
> information if possible. How much extra work is required to have a
> dedicated logger for it, as well as keeping the current message in
> the current logging?
It shouldn't be that much work, but it is a lot of output.
Mark, isn't this already a dedicated logger?
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
+1 to using the log-level as the arbiter for, well, how much logging to
do. :)
-chris
>> -----Original Message-----
>> From: Mark Thomas <ma...@apache.org>
>> Sent: Thursday, February 9, 2023 3:24 AM
>> To: users@tomcat.apache.org
>> Subject: Re: Basic SSL Certificate Usage logging
>>
>> Hi Jon,
>>
>> The current message looks like this:
>>
>> 09-Feb-2023 09:09:53.939 INFO [main]
>> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-
>> jsse-nio-8443], TLS virtual host [_default_], certificate type [RSA] configured
>> from [conf/localhost-rsa.jks] using alias [tomcat] and with trust store [null]
>>
>> The intention is to make clear, for each configured server certificate, which
>> configuration files are being used. The idea being that you can then examine
>> the relevant files if there is an issue.
>>
>> There is a balance to strike in terms of providing useful detail and providing
>> too much detail in the default logs. Everything below feels like too much
>> detail.
>>
>> One option would be to switch this message to a dedicated logger and then
>> provide more/all details if debug logging is enabled. Moving this to a
>> dedicated logger would allow debug logging to be enabled for that logger
>> without changing the logging for the entire endpoint.
>>
>> Mark
>>
>>
>> On 08/02/2023 18:36, jonmcalexander@wellsfargo.com.INVALID wrote:
>>> Hi Mark,
>>>
>>> As a follow-up, some of my compatriots are asking if we can get all or some
>> of these details in the log as well? Wanted to ask early if possible.
>>>
>>> • Subject
>>> o Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells
>> Fargo,C=US
>>> o Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
>>> o Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells
>> Fargo,C=US
>>> • SAN (aka Subject Alternative Names)
>>> o Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
>>> o Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
>>> o Ex:
>> EMAIL:some.name@wellsfargo.com;EMAIL:some.name.alt@wellsfargo.com
>>> • Issuer
>>> o Ex: CN=Wells Fargo Enterprise Certification Authority 05-2
>> G2,OU=Wells Fargo Certification Authorities,O=Wells Fargo,C=US
>>> • ValidFrom (aka NotBefore)
>>> o Ex: 2022-05-18T05:09:27Z
>>> • ValidTo (aka NotAfter)
>>> o Ex: 2024-05-17T05:09:27Z
>>> • KeyUsage
>>> o Ex: Digital Signature, Key Encipherment, Data Encipherment
>>> • KeyUsageExtended
>>> o Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication
>> (1.3.6.1.5.5.7.3.1)
>>> • SerialNumber
>>> o Ex: 6a0006e41935f80460711c187000000006e419
>>> • FingerprintSHA1 (aka Thumbprint)
>>> o Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
>>> • FingerprintSHA256
>>> o Ex:
>> DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4
>> E41
>>> • PublicKeyAlgo
>>> o Ex: RSA
>>> o Ex: ECDSA
>>> • PublicKeySize
>>> o Ex: 2048
>>> o Ex: P-256
>>>
>>> Thank you,
>>>
>>> Dream * Excel * Explore * Inspire
>>> Jon McAlexander
>>> Senior Infrastructure Engineer
>>> Asst. Vice President
>>> He/His
>>>
>>> Middleware Product Engineering
>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>
>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>> MAC: F4469-010
>>> Tel 515-988-2508 | Cell 515-988-2508
>>>
>>> jonmcalexander@wellsfargo.com
>>> This message may contain confidential and/or privileged information. If you
>> are not the addressee or authorized to receive this for the addressee, you
>> must not use, copy, disclose, or take any action based on this message or any
>> information herein. If you have received this message in error, please advise
>> the sender immediately by reply e-mail and delete this message. Thank you
>> for your cooperation.
>>>
>>>
>>>> -----Original Message-----
>>>> From: Mark Thomas <ma...@apache.org>
>>>> Sent: Wednesday, February 8, 2023 10:37 AM
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>
>>>> On 08/02/2023 16:24, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>> Hi Mark,
>>>>>
>>>>> So, is this something that can/will be added in the future? I tested
>>>>> my
>>>> thought of setting the java logging.properties to a specific file in
>>>> the command line but it didn't do what I had hoped.
>>>>
>>>> Already added. Will be in the next round of releases.
>>>>
>>>> Mark
>>>>
>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Dream * Excel * Explore * Inspire
>>>>> Jon McAlexander
>>>>> Senior Infrastructure Engineer
>>>>> Asst. Vice President
>>>>> He/His
>>>>>
>>>>> Middleware Product Engineering
>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>
>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>> MAC: F4469-010
>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>
>>>>> jonmcalexander@wellsfargo.com
>>>>> This message may contain confidential and/or privileged information.
>>>>> If you
>>>> are not the addressee or authorized to receive this for the
>>>> addressee, you must not use, copy, disclose, or take any action based
>>>> on this message or any information herein. If you have received this
>>>> message in error, please advise the sender immediately by reply
>>>> e-mail and delete this message. Thank you for your cooperation.
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Mark Thomas <ma...@apache.org>
>>>>>> Sent: Tuesday, January 10, 2023 8:23 AM
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>>>
>>>>>> On 10/01/2023 13:52, Christopher Schultz wrote:
>>>>>>> Jon,
>>>>>>>
>>>>>>> On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>>>>> Yes Chris, It's just for during startup. For a particular
>>>>>>>> instance I would like to capture the Certificate Info and
>>>>>>>> Truststore being used and pipe that into a separate log/txt file.
>>>>>>> So it sounds like just dumping-out the configured certificates, etc.
>>>>>>> to something like the debug log from Connector or SSLHostConfig or
>>>>>>> similar would work?
>>>>>>>
>>>>>>> Or would you want that information available to the application so
>>>>>>> you can log it in some very specific way? Note that you can
>>>>>>> already get the SSLHostConfig info via JMX if you are willing to do that.
>>>>>>
>>>>>> How about something like this:
>>>>>>
>>>>>> 10-Jan-2023 14:21:07.951 INFO [main]
>>>>>> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
>>>>>> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate
>>>>>> type [RSA] configured from [conf/localhost-rsa.jks] using alias
>>>>>> [null] and with trust store [null]
>>>>>>
>>>>>> ?
>>>>>>
>>>>>> Mark
>>>>>>
>>>>>>>
>>>>>>> -chris
>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
>>>>>>>>
>>>>>>>> Middleware Product Engineering
>>>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>>>>
>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>>>> MAC: F4469-010
>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>>>
>>>>>>>> jonmcalexander@wellsfargo.com
>>>>>>>> This message may contain confidential and/or privileged
>> information.
>>>>>>>> If you are not the addressee or authorized to receive this for
>>>>>>>> the addressee, you must not use, copy, disclose, or take any
>>>>>>>> action based on this message or any information herein. If you
>>>>>>>> have received this message in error, please advise the sender
>>>>>>>> immediately by reply e-mail and delete this message. Thank you
>>>>>>>> for
>>>> your cooperation.
>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>>>>>>> Sent: Monday, January 9, 2023 8:10 AM
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>>>>>>
>>>>>>>>> Jon,
>>>>>>>>>
>>>>>>>>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>>>>>>> Thanks for the info.
>>>>>>>>>>
>>>>>>>>>> In a nutshell I think the certpath,provider would be sufficient.
>>>>>>>>>> I'm thinking that I can add this to the java options as
>>>>>>>>>> -Djava.security.debug=ssl:certpath,provider however I don't
>>>>>>>>>> know how to specify where to log the information.
>>>>>>>>> java.security.debug is really a blunt instrument. It's
>>>>>>>>> unfortunate that it's one of the only ways to get information
>>>>>>>>> out of the TLS stack. It would have been great if Java had
>>>>>>>>> started using its own logging system once it was introduced, but no.
>>>>>>>>>
>>>>>>>>> That debugging tool always dumps to stdout (or stderr?) and you
>>>>>>>>> have very little control over where it goes.
>>>>>>>>>
>>>>>>>>> You would never want to use it for ongoing logging. It truly is
>>>>>>>>> for
>>>>>>>>> debugging-
>>>>>>>>> only.
>>>>>>>>>
>>>>>>>>> The good news is that application code should be able to get the
>>>>>>>>> information you are looking for.
>>>>>>>>>
>>>>>>>>> Oh, wait...
>>>>>>>>>
>>>>>>>>>> [...] I'm checking to see if there is any out-of-the-box option
>>>>>>>>>> to capture in a log which SSL certificate and trust keystore is
>>>>>>>>>> being used during startup?
>>>>>>>>> What do you mean "during startup"? I originally read that as
>>>>>>>>> "for incoming connections" thinking that you wanted to log which
>>>>>>>>> cert was used for a particular request. But it sounds like maybe
>>>>>>>>> you are asking for something to just be logged one-time during
>> startup?
>>>>>>>>>
>>>>>>>>> -chris
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
>>>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
>>>>>>>>>>
>>>>>>>>>> Middleware Product Engineering
>>>>>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>>>>>>
>>>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>>>>>> MAC: F4469-010
>>>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>>>>>
>>>>>>>>>> jonmcalexander@wellsfargo.com
>>>>>>>>>> This message may contain confidential and/or privileged
>>>> information.
>>>>>>>>>> If you
>>>>>>>>> are not the addressee or authorized to receive this for the
>>>>>>>>> addressee, you must not use, copy, disclose, or take any action
>>>>>>>>> based on this message or any information herein. If you have
>>>>>>>>> received this message in error, please advise the sender
>>>>>>>>> immediately by reply e-mail and delete this message. Thank you
>>>>>>>>> for your cooperation.
>>>>>>>>>>
>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>>>>>>>>> Sent: Friday, January 6, 2023 2:41 PM
>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>>>>>>>>
>>>>>>>>>>> Mark,
>>>>>>>>>>>
>>>>>>>>>>> On 1/6/23 15:00, Mark Thomas wrote:
>>>>>>>>>>>> Hi Jon,
>>>>>>>>>>>>
>>>>>>>>>>>> In a word, no. Sorry.
>>>>>>>>>>>>
>>>>>>>>>>>> Some sort of info log message probably makes sense for this.
>>>>>>>>>>>> SNI makes things a little more complicated but we should be
>>>>>>>>>>>> able to do
>>>>>>>>> something.
>>>>>>>>>>>> What is the minimum info you'd like to see?
>>>>>>>>>>>
>>>>>>>>>>> How about adding a request attribute with some kind of
>>>>>>>>>>> identifier (fpr?
>>>>>>>>>>> serial-number?) in it and indicates at least which server-cert
>>>>>>>>>>> was chosen.
>>>>>>>>>>> Then it can trivially be added to e.g. access_log or even to
>>>>>>>>>>> application code which wants to do custom logging.
>>>>>>>>>>>
>>>>>>>>>>> -chris
>>>>>>>>>>>
>>>>>>>>>>>> On 06/01/2023 18:52,
>> jonmcalexander@wellsfargo.com.INVALID
>>>>>> wrote:
>>>>>>>>>>>>> Good afternoon and Happy New Year,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I know about the SSL debug logging, however, I'm checking to
>>>>>>>>>>>>> see if there is any out-of-the-box option to capture in a
>>>>>>>>>>>>> log which SSL certificate and trust keystore is being used
>>>>>>>>>>>>> during
>>>> startup?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
>>>>>>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
>>>>>>>>>>>>>
>>>>>>>>>>>>> Middleware Product Engineering Enterprise CIO | EAS |
>>>>>>>>>>>>> Middleware | Infrastructure Solutions
>>>>>>>>>>>>>
>>>>>>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>>>>>>>>> MAC: F4469-010
>>>>>>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>
>>>>
>> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
>>>>>>>>>>>>> This message may contain confidential and/or privileged
>>>>>> information.
>>>>>>>>>>>>> If you are not the addressee or authorized to receive this
>>>>>>>>>>>>> for the addressee, you must not use, copy, disclose, or take
>>>>>>>>>>>>> any action based on this message or any information herein.
>>>>>>>>>>>>> If you have received this message in error, please advise
>>>>>>>>>>>>> the sender immediately by reply e-mail and delete this
>>>>>>>>>>>>> message. Thank you for
>>>>>>>>> your cooperation.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -------------------------------------------------------------
>>>>>>>>>>>> --
>>>>>>>>>>>> --
>>>>>>>>>>>> ---
>>>>>>>>>>>> - To unsubscribe, e-mail: users-
>> unsubscribe@tomcat.apache.org
>>>>>>>>>>>> For additional commands, e-mail: users-
>> help@tomcat.apache.org
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --------------------------------------------------------------
>>>>>>>>>>> --
>>>>>>>>>>> --
>>>>>>>>>>> --- To unsubscribe, e-mail:
>>>>>>>>>>> users-unsubscribe@tomcat.apache.org
>>>>>>>>>>> For additional commands, e-mail: users-
>> help@tomcat.apache.org
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>> --
>>>>>>>>>> --
>>>>>>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----------------------------------------------------------------
>>>>>>>>> --
>>>>>>>>> --
>>>>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>>>
>>>>>>>> -----------------------------------------------------------------
>>>>>>>> --
>>>>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------
>>>>>>> --
>>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------
>>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>> --------------------------------------------------------------------
>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
Hi Mark,
My thinking is that the teams requesting that I look into if this is possible or not would prefer to be able to get the more detailed information if possible. How much extra work is required to have a dedicated logger for it, as well as keeping the current message in the current logging?
Thanks again for everything!
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Thursday, February 9, 2023 3:24 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> Hi Jon,
>
> The current message looks like this:
>
> 09-Feb-2023 09:09:53.939 INFO [main]
> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-
> jsse-nio-8443], TLS virtual host [_default_], certificate type [RSA] configured
> from [conf/localhost-rsa.jks] using alias [tomcat] and with trust store [null]
>
> The intention is to make clear, for each configured server certificate, which
> configuration files are being used. The idea being that you can then examine
> the relevant files if there is an issue.
>
> There is a balance to strike in terms of providing useful detail and providing
> too much detail in the default logs. Everything below feels like too much
> detail.
>
> One option would be to switch this message to a dedicated logger and then
> provide more/all details if debug logging is enabled. Moving this to a
> dedicated logger would allow debug logging to be enabled for that logger
> without changing the logging for the entire endpoint.
>
> Mark
>
>
> On 08/02/2023 18:36, jonmcalexander@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > As a follow-up, some of my compatriots are asking if we can get all or some
> of these details in the log as well? Wanted to ask early if possible.
> >
> > • Subject
> > o Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells
> Fargo,C=US
> > o Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
> > o Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells
> Fargo,C=US
> > • SAN (aka Subject Alternative Names)
> > o Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
> > o Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
> > o Ex:
> EMAIL:some.name@wellsfargo.com;EMAIL:some.name.alt@wellsfargo.com
> > • Issuer
> > o Ex: CN=Wells Fargo Enterprise Certification Authority 05-2
> G2,OU=Wells Fargo Certification Authorities,O=Wells Fargo,C=US
> > • ValidFrom (aka NotBefore)
> > o Ex: 2022-05-18T05:09:27Z
> > • ValidTo (aka NotAfter)
> > o Ex: 2024-05-17T05:09:27Z
> > • KeyUsage
> > o Ex: Digital Signature, Key Encipherment, Data Encipherment
> > • KeyUsageExtended
> > o Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication
> (1.3.6.1.5.5.7.3.1)
> > • SerialNumber
> > o Ex: 6a0006e41935f80460711c187000000006e419
> > • FingerprintSHA1 (aka Thumbprint)
> > o Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
> > • FingerprintSHA256
> > o Ex:
> DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4
> E41
> > • PublicKeyAlgo
> > o Ex: RSA
> > o Ex: ECDSA
> > • PublicKeySize
> > o Ex: 2048
> > o Ex: P-256
> >
> > Thank you,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexander@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -----Original Message-----
> >> From: Mark Thomas <ma...@apache.org>
> >> Sent: Wednesday, February 8, 2023 10:37 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 08/02/2023 16:24, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>> Hi Mark,
> >>>
> >>> So, is this something that can/will be added in the future? I tested
> >>> my
> >> thought of setting the java logging.properties to a specific file in
> >> the command line but it didn't do what I had hoped.
> >>
> >> Already added. Will be in the next round of releases.
> >>
> >> Mark
> >>
> >>
> >>>
> >>> Thanks,
> >>>
> >>> Dream * Excel * Explore * Inspire
> >>> Jon McAlexander
> >>> Senior Infrastructure Engineer
> >>> Asst. Vice President
> >>> He/His
> >>>
> >>> Middleware Product Engineering
> >>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>
> >>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>> MAC: F4469-010
> >>> Tel 515-988-2508 | Cell 515-988-2508
> >>>
> >>> jonmcalexander@wellsfargo.com
> >>> This message may contain confidential and/or privileged information.
> >>> If you
> >> are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: Mark Thomas <ma...@apache.org>
> >>>> Sent: Tuesday, January 10, 2023 8:23 AM
> >>>> To: users@tomcat.apache.org
> >>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>
> >>>> On 10/01/2023 13:52, Christopher Schultz wrote:
> >>>>> Jon,
> >>>>>
> >>>>> On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>>>> Yes Chris, It's just for during startup. For a particular
> >>>>>> instance I would like to capture the Certificate Info and
> >>>>>> Truststore being used and pipe that into a separate log/txt file.
> >>>>> So it sounds like just dumping-out the configured certificates, etc.
> >>>>> to something like the debug log from Connector or SSLHostConfig or
> >>>>> similar would work?
> >>>>>
> >>>>> Or would you want that information available to the application so
> >>>>> you can log it in some very specific way? Note that you can
> >>>>> already get the SSLHostConfig info via JMX if you are willing to do that.
> >>>>
> >>>> How about something like this:
> >>>>
> >>>> 10-Jan-2023 14:21:07.951 INFO [main]
> >>>> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> >>>> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate
> >>>> type [RSA] configured from [conf/localhost-rsa.jks] using alias
> >>>> [null] and with trust store [null]
> >>>>
> >>>> ?
> >>>>
> >>>> Mark
> >>>>
> >>>>>
> >>>>> -chris
> >>>>>
> >>>>>>
> >>>>>> Thanks,
> >>>>>>
> >>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>
> >>>>>> Middleware Product Engineering
> >>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>>>
> >>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>> MAC: F4469-010
> >>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>
> >>>>>> jonmcalexander@wellsfargo.com
> >>>>>> This message may contain confidential and/or privileged
> information.
> >>>>>> If you are not the addressee or authorized to receive this for
> >>>>>> the addressee, you must not use, copy, disclose, or take any
> >>>>>> action based on this message or any information herein. If you
> >>>>>> have received this message in error, please advise the sender
> >>>>>> immediately by reply e-mail and delete this message. Thank you
> >>>>>> for
> >> your cooperation.
> >>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>>>>> Sent: Monday, January 9, 2023 8:10 AM
> >>>>>>> To: users@tomcat.apache.org
> >>>>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>>>
> >>>>>>> Jon,
> >>>>>>>
> >>>>>>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>>>>>> Thanks for the info.
> >>>>>>>>
> >>>>>>>> In a nutshell I think the certpath,provider would be sufficient.
> >>>>>>>> I'm thinking that I can add this to the java options as
> >>>>>>>> -Djava.security.debug=ssl:certpath,provider however I don't
> >>>>>>>> know how to specify where to log the information.
> >>>>>>> java.security.debug is really a blunt instrument. It's
> >>>>>>> unfortunate that it's one of the only ways to get information
> >>>>>>> out of the TLS stack. It would have been great if Java had
> >>>>>>> started using its own logging system once it was introduced, but no.
> >>>>>>>
> >>>>>>> That debugging tool always dumps to stdout (or stderr?) and you
> >>>>>>> have very little control over where it goes.
> >>>>>>>
> >>>>>>> You would never want to use it for ongoing logging. It truly is
> >>>>>>> for
> >>>>>>> debugging-
> >>>>>>> only.
> >>>>>>>
> >>>>>>> The good news is that application code should be able to get the
> >>>>>>> information you are looking for.
> >>>>>>>
> >>>>>>> Oh, wait...
> >>>>>>>
> >>>>>>>> [...] I'm checking to see if there is any out-of-the-box option
> >>>>>>>> to capture in a log which SSL certificate and trust keystore is
> >>>>>>>> being used during startup?
> >>>>>>> What do you mean "during startup"? I originally read that as
> >>>>>>> "for incoming connections" thinking that you wanted to log which
> >>>>>>> cert was used for a particular request. But it sounds like maybe
> >>>>>>> you are asking for something to just be logged one-time during
> startup?
> >>>>>>>
> >>>>>>> -chris
> >>>>>>>
> >>>>>>>>
> >>>>>>>> Thanks,
> >>>>>>>>
> >>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>>>
> >>>>>>>> Middleware Product Engineering
> >>>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>>>>>
> >>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>>>> MAC: F4469-010
> >>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>>>
> >>>>>>>> jonmcalexander@wellsfargo.com
> >>>>>>>> This message may contain confidential and/or privileged
> >> information.
> >>>>>>>> If you
> >>>>>>> are not the addressee or authorized to receive this for the
> >>>>>>> addressee, you must not use, copy, disclose, or take any action
> >>>>>>> based on this message or any information herein. If you have
> >>>>>>> received this message in error, please advise the sender
> >>>>>>> immediately by reply e-mail and delete this message. Thank you
> >>>>>>> for your cooperation.
> >>>>>>>>
> >>>>>>>>> -----Original Message-----
> >>>>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>>>>>>> Sent: Friday, January 6, 2023 2:41 PM
> >>>>>>>>> To: users@tomcat.apache.org
> >>>>>>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>>>>>
> >>>>>>>>> Mark,
> >>>>>>>>>
> >>>>>>>>> On 1/6/23 15:00, Mark Thomas wrote:
> >>>>>>>>>> Hi Jon,
> >>>>>>>>>>
> >>>>>>>>>> In a word, no. Sorry.
> >>>>>>>>>>
> >>>>>>>>>> Some sort of info log message probably makes sense for this.
> >>>>>>>>>> SNI makes things a little more complicated but we should be
> >>>>>>>>>> able to do
> >>>>>>> something.
> >>>>>>>>>> What is the minimum info you'd like to see?
> >>>>>>>>>
> >>>>>>>>> How about adding a request attribute with some kind of
> >>>>>>>>> identifier (fpr?
> >>>>>>>>> serial-number?) in it and indicates at least which server-cert
> >>>>>>>>> was chosen.
> >>>>>>>>> Then it can trivially be added to e.g. access_log or even to
> >>>>>>>>> application code which wants to do custom logging.
> >>>>>>>>>
> >>>>>>>>> -chris
> >>>>>>>>>
> >>>>>>>>>> On 06/01/2023 18:52,
> jonmcalexander@wellsfargo.com.INVALID
> >>>> wrote:
> >>>>>>>>>>> Good afternoon and Happy New Year,
> >>>>>>>>>>>
> >>>>>>>>>>> I know about the SSL debug logging, however, I'm checking to
> >>>>>>>>>>> see if there is any out-of-the-box option to capture in a
> >>>>>>>>>>> log which SSL certificate and trust keystore is being used
> >>>>>>>>>>> during
> >> startup?
> >>>>>>>>>>>
> >>>>>>>>>>> Thanks,
> >>>>>>>>>>>
> >>>>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>>>>>>
> >>>>>>>>>>> Middleware Product Engineering Enterprise CIO | EAS |
> >>>>>>>>>>> Middleware | Infrastructure Solutions
> >>>>>>>>>>>
> >>>>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>>>>>>> MAC: F4469-010
> >>>>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>
> >>
> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
> >>>>>>>>>>> This message may contain confidential and/or privileged
> >>>> information.
> >>>>>>>>>>> If you are not the addressee or authorized to receive this
> >>>>>>>>>>> for the addressee, you must not use, copy, disclose, or take
> >>>>>>>>>>> any action based on this message or any information herein.
> >>>>>>>>>>> If you have received this message in error, please advise
> >>>>>>>>>>> the sender immediately by reply e-mail and delete this
> >>>>>>>>>>> message. Thank you for
> >>>>>>> your cooperation.
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> -------------------------------------------------------------
> >>>>>>>>>> --
> >>>>>>>>>> --
> >>>>>>>>>> ---
> >>>>>>>>>> - To unsubscribe, e-mail: users-
> unsubscribe@tomcat.apache.org
> >>>>>>>>>> For additional commands, e-mail: users-
> help@tomcat.apache.org
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --------------------------------------------------------------
> >>>>>>>>> --
> >>>>>>>>> --
> >>>>>>>>> --- To unsubscribe, e-mail:
> >>>>>>>>> users-unsubscribe@tomcat.apache.org
> >>>>>>>>> For additional commands, e-mail: users-
> help@tomcat.apache.org
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> ---------------------------------------------------------------
> >>>>>>>> --
> >>>>>>>> --
> >>>>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>>>
> >>>>>>>
> >>>>>>> ----------------------------------------------------------------
> >>>>>>> --
> >>>>>>> --
> >>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>
> >>>>>>
> >>>>>> -----------------------------------------------------------------
> >>>>>> --
> >>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>
> >>>>>
> >>>>> ------------------------------------------------------------------
> >>>>> --
> >>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>
> >>>>
> >>>> -------------------------------------------------------------------
> >>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>>
> >>> --------------------------------------------------------------------
> >>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Mark Thomas <ma...@apache.org>.
Hi Jon,
The current message looks like this:
09-Feb-2023 09:09:53.939 INFO [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector
[https-jsse-nio-8443], TLS virtual host [_default_], certificate type
[RSA] configured from [conf/localhost-rsa.jks] using alias [tomcat] and
with trust store [null]
The intention is to make clear, for each configured server certificate,
which configuration files are being used. The idea being that you can
then examine the relevant files if there is an issue.
There is a balance to strike in terms of providing useful detail and
providing too much detail in the default logs. Everything below feels
like too much detail.
One option would be to switch this message to a dedicated logger and
then provide more/all details if debug logging is enabled. Moving this
to a dedicated logger would allow debug logging to be enabled for that
logger without changing the logging for the entire endpoint.
Mark
On 08/02/2023 18:36, jonmcalexander@wellsfargo.com.INVALID wrote:
> Hi Mark,
>
> As a follow-up, some of my compatriots are asking if we can get all or some of these details in the log as well? Wanted to ask early if possible.
>
> • Subject
> o Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells Fargo,C=US
> o Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
> o Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells Fargo,C=US
> • SAN (aka Subject Alternative Names)
> o Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
> o Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
> o Ex: EMAIL:some.name@wellsfargo.com;EMAIL:some.name.alt@wellsfargo.com
> • Issuer
> o Ex: CN=Wells Fargo Enterprise Certification Authority 05-2 G2,OU=Wells Fargo Certification Authorities,O=Wells Fargo,C=US
> • ValidFrom (aka NotBefore)
> o Ex: 2022-05-18T05:09:27Z
> • ValidTo (aka NotAfter)
> o Ex: 2024-05-17T05:09:27Z
> • KeyUsage
> o Ex: Digital Signature, Key Encipherment, Data Encipherment
> • KeyUsageExtended
> o Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)
> • SerialNumber
> o Ex: 6a0006e41935f80460711c187000000006e419
> • FingerprintSHA1 (aka Thumbprint)
> o Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
> • FingerprintSHA256
> o Ex: DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4E41
> • PublicKeyAlgo
> o Ex: RSA
> o Ex: ECDSA
> • PublicKeySize
> o Ex: 2048
> o Ex: P-256
>
> Thank you,
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexander@wellsfargo.com
> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
>
>
>> -----Original Message-----
>> From: Mark Thomas <ma...@apache.org>
>> Sent: Wednesday, February 8, 2023 10:37 AM
>> To: users@tomcat.apache.org
>> Subject: Re: Basic SSL Certificate Usage logging
>>
>> On 08/02/2023 16:24, jonmcalexander@wellsfargo.com.INVALID wrote:
>>> Hi Mark,
>>>
>>> So, is this something that can/will be added in the future? I tested my
>> thought of setting the java logging.properties to a specific file in the
>> command line but it didn't do what I had hoped.
>>
>> Already added. Will be in the next round of releases.
>>
>> Mark
>>
>>
>>>
>>> Thanks,
>>>
>>> Dream * Excel * Explore * Inspire
>>> Jon McAlexander
>>> Senior Infrastructure Engineer
>>> Asst. Vice President
>>> He/His
>>>
>>> Middleware Product Engineering
>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>
>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>> MAC: F4469-010
>>> Tel 515-988-2508 | Cell 515-988-2508
>>>
>>> jonmcalexander@wellsfargo.com
>>> This message may contain confidential and/or privileged information. If you
>> are not the addressee or authorized to receive this for the addressee, you
>> must not use, copy, disclose, or take any action based on this message or any
>> information herein. If you have received this message in error, please advise
>> the sender immediately by reply e-mail and delete this message. Thank you
>> for your cooperation.
>>>
>>>
>>>> -----Original Message-----
>>>> From: Mark Thomas <ma...@apache.org>
>>>> Sent: Tuesday, January 10, 2023 8:23 AM
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>
>>>> On 10/01/2023 13:52, Christopher Schultz wrote:
>>>>> Jon,
>>>>>
>>>>> On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>>> Yes Chris, It's just for during startup. For a particular instance
>>>>>> I would like to capture the Certificate Info and Truststore being
>>>>>> used and pipe that into a separate log/txt file.
>>>>> So it sounds like just dumping-out the configured certificates, etc.
>>>>> to something like the debug log from Connector or SSLHostConfig or
>>>>> similar would work?
>>>>>
>>>>> Or would you want that information available to the application so
>>>>> you can log it in some very specific way? Note that you can already
>>>>> get the SSLHostConfig info via JMX if you are willing to do that.
>>>>
>>>> How about something like this:
>>>>
>>>> 10-Jan-2023 14:21:07.951 INFO [main]
>>>> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
>>>> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type
>>>> [RSA] configured from [conf/localhost-rsa.jks] using alias [null] and
>>>> with trust store [null]
>>>>
>>>> ?
>>>>
>>>> Mark
>>>>
>>>>>
>>>>> -chris
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Dream * Excel * Explore * Inspire
>>>>>> Jon McAlexander
>>>>>> Senior Infrastructure Engineer
>>>>>> Asst. Vice President
>>>>>> He/His
>>>>>>
>>>>>> Middleware Product Engineering
>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>>
>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>> MAC: F4469-010
>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>
>>>>>> jonmcalexander@wellsfargo.com
>>>>>> This message may contain confidential and/or privileged information.
>>>>>> If you are not the addressee or authorized to receive this for the
>>>>>> addressee, you must not use, copy, disclose, or take any action
>>>>>> based on this message or any information herein. If you have
>>>>>> received this message in error, please advise the sender
>>>>>> immediately by reply e-mail and delete this message. Thank you for
>> your cooperation.
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>>>>> Sent: Monday, January 9, 2023 8:10 AM
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>>>>
>>>>>>> Jon,
>>>>>>>
>>>>>>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>>>>> Thanks for the info.
>>>>>>>>
>>>>>>>> In a nutshell I think the certpath,provider would be sufficient.
>>>>>>>> I'm thinking that I can add this to the java options as
>>>>>>>> -Djava.security.debug=ssl:certpath,provider however I don't know
>>>>>>>> how to specify where to log the information.
>>>>>>> java.security.debug is really a blunt instrument. It's unfortunate
>>>>>>> that it's one of the only ways to get information out of the TLS
>>>>>>> stack. It would have been great if Java had started using its own
>>>>>>> logging system once it was introduced, but no.
>>>>>>>
>>>>>>> That debugging tool always dumps to stdout (or stderr?) and you
>>>>>>> have very little control over where it goes.
>>>>>>>
>>>>>>> You would never want to use it for ongoing logging. It truly is
>>>>>>> for
>>>>>>> debugging-
>>>>>>> only.
>>>>>>>
>>>>>>> The good news is that application code should be able to get the
>>>>>>> information you are looking for.
>>>>>>>
>>>>>>> Oh, wait...
>>>>>>>
>>>>>>>> [...] I'm checking to see if there is any out-of-the-box option
>>>>>>>> to capture in a log which SSL certificate and trust keystore is
>>>>>>>> being used during startup?
>>>>>>> What do you mean "during startup"? I originally read that as "for
>>>>>>> incoming connections" thinking that you wanted to log which cert
>>>>>>> was used for a particular request. But it sounds like maybe you
>>>>>>> are asking for something to just be logged one-time during startup?
>>>>>>>
>>>>>>> -chris
>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
>>>>>>>>
>>>>>>>> Middleware Product Engineering
>>>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>>>>
>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>>>> MAC: F4469-010
>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>>>
>>>>>>>> jonmcalexander@wellsfargo.com
>>>>>>>> This message may contain confidential and/or privileged
>> information.
>>>>>>>> If you
>>>>>>> are not the addressee or authorized to receive this for the
>>>>>>> addressee, you must not use, copy, disclose, or take any action
>>>>>>> based on this message or any information herein. If you have
>>>>>>> received this message in error, please advise the sender
>>>>>>> immediately by reply e-mail and delete this message. Thank you for
>>>>>>> your cooperation.
>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>>>>>>> Sent: Friday, January 6, 2023 2:41 PM
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>>>>>>
>>>>>>>>> Mark,
>>>>>>>>>
>>>>>>>>> On 1/6/23 15:00, Mark Thomas wrote:
>>>>>>>>>> Hi Jon,
>>>>>>>>>>
>>>>>>>>>> In a word, no. Sorry.
>>>>>>>>>>
>>>>>>>>>> Some sort of info log message probably makes sense for this.
>>>>>>>>>> SNI makes things a little more complicated but we should be
>>>>>>>>>> able to do
>>>>>>> something.
>>>>>>>>>> What is the minimum info you'd like to see?
>>>>>>>>>
>>>>>>>>> How about adding a request attribute with some kind of
>>>>>>>>> identifier (fpr?
>>>>>>>>> serial-number?) in it and indicates at least which server-cert
>>>>>>>>> was chosen.
>>>>>>>>> Then it can trivially be added to e.g. access_log or even to
>>>>>>>>> application code which wants to do custom logging.
>>>>>>>>>
>>>>>>>>> -chris
>>>>>>>>>
>>>>>>>>>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID
>>>> wrote:
>>>>>>>>>>> Good afternoon and Happy New Year,
>>>>>>>>>>>
>>>>>>>>>>> I know about the SSL debug logging, however, I'm checking to
>>>>>>>>>>> see if there is any out-of-the-box option to capture in a log
>>>>>>>>>>> which SSL certificate and trust keystore is being used during
>> startup?
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>>
>>>>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
>>>>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
>>>>>>>>>>>
>>>>>>>>>>> Middleware Product Engineering Enterprise CIO | EAS |
>>>>>>>>>>> Middleware | Infrastructure Solutions
>>>>>>>>>>>
>>>>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>>>>>>> MAC: F4469-010
>>>>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>
>> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
>>>>>>>>>>> This message may contain confidential and/or privileged
>>>> information.
>>>>>>>>>>> If you are not the addressee or authorized to receive this for
>>>>>>>>>>> the addressee, you must not use, copy, disclose, or take any
>>>>>>>>>>> action based on this message or any information herein. If you
>>>>>>>>>>> have received this message in error, please advise the sender
>>>>>>>>>>> immediately by reply e-mail and delete this message. Thank you
>>>>>>>>>>> for
>>>>>>> your cooperation.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>> --
>>>>>>>>>> ---
>>>>>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----------------------------------------------------------------
>>>>>>>>> --
>>>>>>>>> --- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>>>
>>>>>>>> -----------------------------------------------------------------
>>>>>>>> --
>>>>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------
>>>>>>> --
>>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------
>>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>
>>>>> --------------------------------------------------------------------
>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
Hi Mark,
As a follow-up, some of my compatriots are asking if we can get all or some of these details in the log as well? Wanted to ask early if possible.
• Subject
o Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells Fargo,C=US
o Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
o Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells Fargo,C=US
• SAN (aka Subject Alternative Names)
o Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
o Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
o Ex: EMAIL:some.name@wellsfargo.com;EMAIL:some.name.alt@wellsfargo.com
• Issuer
o Ex: CN=Wells Fargo Enterprise Certification Authority 05-2 G2,OU=Wells Fargo Certification Authorities,O=Wells Fargo,C=US
• ValidFrom (aka NotBefore)
o Ex: 2022-05-18T05:09:27Z
• ValidTo (aka NotAfter)
o Ex: 2024-05-17T05:09:27Z
• KeyUsage
o Ex: Digital Signature, Key Encipherment, Data Encipherment
• KeyUsageExtended
o Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)
• SerialNumber
o Ex: 6a0006e41935f80460711c187000000006e419
• FingerprintSHA1 (aka Thumbprint)
o Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
• FingerprintSHA256
o Ex: DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4E41
• PublicKeyAlgo
o Ex: RSA
o Ex: ECDSA
• PublicKeySize
o Ex: 2048
o Ex: P-256
Thank you,
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, February 8, 2023 10:37 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> On 08/02/2023 16:24, jonmcalexander@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > So, is this something that can/will be added in the future? I tested my
> thought of setting the java logging.properties to a specific file in the
> command line but it didn't do what I had hoped.
>
> Already added. Will be in the next round of releases.
>
> Mark
>
>
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexander@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -----Original Message-----
> >> From: Mark Thomas <ma...@apache.org>
> >> Sent: Tuesday, January 10, 2023 8:23 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/01/2023 13:52, Christopher Schultz wrote:
> >>> Jon,
> >>>
> >>> On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>> Yes Chris, It's just for during startup. For a particular instance
> >>>> I would like to capture the Certificate Info and Truststore being
> >>>> used and pipe that into a separate log/txt file.
> >>> So it sounds like just dumping-out the configured certificates, etc.
> >>> to something like the debug log from Connector or SSLHostConfig or
> >>> similar would work?
> >>>
> >>> Or would you want that information available to the application so
> >>> you can log it in some very specific way? Note that you can already
> >>> get the SSLHostConfig info via JMX if you are willing to do that.
> >>
> >> How about something like this:
> >>
> >> 10-Jan-2023 14:21:07.951 INFO [main]
> >> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> >> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type
> >> [RSA] configured from [conf/localhost-rsa.jks] using alias [null] and
> >> with trust store [null]
> >>
> >> ?
> >>
> >> Mark
> >>
> >>>
> >>> -chris
> >>>
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Dream * Excel * Explore * Inspire
> >>>> Jon McAlexander
> >>>> Senior Infrastructure Engineer
> >>>> Asst. Vice President
> >>>> He/His
> >>>>
> >>>> Middleware Product Engineering
> >>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>
> >>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>> MAC: F4469-010
> >>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>
> >>>> jonmcalexander@wellsfargo.com
> >>>> This message may contain confidential and/or privileged information.
> >>>> If you are not the addressee or authorized to receive this for the
> >>>> addressee, you must not use, copy, disclose, or take any action
> >>>> based on this message or any information herein. If you have
> >>>> received this message in error, please advise the sender
> >>>> immediately by reply e-mail and delete this message. Thank you for
> your cooperation.
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>>> Sent: Monday, January 9, 2023 8:10 AM
> >>>>> To: users@tomcat.apache.org
> >>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>
> >>>>> Jon,
> >>>>>
> >>>>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>>>> Thanks for the info.
> >>>>>>
> >>>>>> In a nutshell I think the certpath,provider would be sufficient.
> >>>>>> I'm thinking that I can add this to the java options as
> >>>>>> -Djava.security.debug=ssl:certpath,provider however I don't know
> >>>>>> how to specify where to log the information.
> >>>>> java.security.debug is really a blunt instrument. It's unfortunate
> >>>>> that it's one of the only ways to get information out of the TLS
> >>>>> stack. It would have been great if Java had started using its own
> >>>>> logging system once it was introduced, but no.
> >>>>>
> >>>>> That debugging tool always dumps to stdout (or stderr?) and you
> >>>>> have very little control over where it goes.
> >>>>>
> >>>>> You would never want to use it for ongoing logging. It truly is
> >>>>> for
> >>>>> debugging-
> >>>>> only.
> >>>>>
> >>>>> The good news is that application code should be able to get the
> >>>>> information you are looking for.
> >>>>>
> >>>>> Oh, wait...
> >>>>>
> >>>>>> [...] I'm checking to see if there is any out-of-the-box option
> >>>>>> to capture in a log which SSL certificate and trust keystore is
> >>>>>> being used during startup?
> >>>>> What do you mean "during startup"? I originally read that as "for
> >>>>> incoming connections" thinking that you wanted to log which cert
> >>>>> was used for a particular request. But it sounds like maybe you
> >>>>> are asking for something to just be logged one-time during startup?
> >>>>>
> >>>>> -chris
> >>>>>
> >>>>>>
> >>>>>> Thanks,
> >>>>>>
> >>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>
> >>>>>> Middleware Product Engineering
> >>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>>>
> >>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>> MAC: F4469-010
> >>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>
> >>>>>> jonmcalexander@wellsfargo.com
> >>>>>> This message may contain confidential and/or privileged
> information.
> >>>>>> If you
> >>>>> are not the addressee or authorized to receive this for the
> >>>>> addressee, you must not use, copy, disclose, or take any action
> >>>>> based on this message or any information herein. If you have
> >>>>> received this message in error, please advise the sender
> >>>>> immediately by reply e-mail and delete this message. Thank you for
> >>>>> your cooperation.
> >>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>>>>> Sent: Friday, January 6, 2023 2:41 PM
> >>>>>>> To: users@tomcat.apache.org
> >>>>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>>>
> >>>>>>> Mark,
> >>>>>>>
> >>>>>>> On 1/6/23 15:00, Mark Thomas wrote:
> >>>>>>>> Hi Jon,
> >>>>>>>>
> >>>>>>>> In a word, no. Sorry.
> >>>>>>>>
> >>>>>>>> Some sort of info log message probably makes sense for this.
> >>>>>>>> SNI makes things a little more complicated but we should be
> >>>>>>>> able to do
> >>>>> something.
> >>>>>>>> What is the minimum info you'd like to see?
> >>>>>>>
> >>>>>>> How about adding a request attribute with some kind of
> >>>>>>> identifier (fpr?
> >>>>>>> serial-number?) in it and indicates at least which server-cert
> >>>>>>> was chosen.
> >>>>>>> Then it can trivially be added to e.g. access_log or even to
> >>>>>>> application code which wants to do custom logging.
> >>>>>>>
> >>>>>>> -chris
> >>>>>>>
> >>>>>>>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID
> >> wrote:
> >>>>>>>>> Good afternoon and Happy New Year,
> >>>>>>>>>
> >>>>>>>>> I know about the SSL debug logging, however, I'm checking to
> >>>>>>>>> see if there is any out-of-the-box option to capture in a log
> >>>>>>>>> which SSL certificate and trust keystore is being used during
> startup?
> >>>>>>>>>
> >>>>>>>>> Thanks,
> >>>>>>>>>
> >>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>>>>
> >>>>>>>>> Middleware Product Engineering Enterprise CIO | EAS |
> >>>>>>>>> Middleware | Infrastructure Solutions
> >>>>>>>>>
> >>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>>>>> MAC: F4469-010
> >>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>>
> >>
> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
> >>>>>>>>> This message may contain confidential and/or privileged
> >> information.
> >>>>>>>>> If you are not the addressee or authorized to receive this for
> >>>>>>>>> the addressee, you must not use, copy, disclose, or take any
> >>>>>>>>> action based on this message or any information herein. If you
> >>>>>>>>> have received this message in error, please advise the sender
> >>>>>>>>> immediately by reply e-mail and delete this message. Thank you
> >>>>>>>>> for
> >>>>> your cooperation.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> ---------------------------------------------------------------
> >>>>>>>> --
> >>>>>>>> ---
> >>>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>>>
> >>>>>>>
> >>>>>>> ----------------------------------------------------------------
> >>>>>>> --
> >>>>>>> --- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>
> >>>>>>
> >>>>>> -----------------------------------------------------------------
> >>>>>> --
> >>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>
> >>>>>
> >>>>> ------------------------------------------------------------------
> >>>>> --
> >>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>>> -------------------------------------------------------------------
> >>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>
> >>> --------------------------------------------------------------------
> >>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
And thank you!
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, February 8, 2023 10:37 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> On 08/02/2023 16:24, jonmcalexander@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > So, is this something that can/will be added in the future? I tested my
> thought of setting the java logging.properties to a specific file in the
> command line but it didn't do what I had hoped.
>
> Already added. Will be in the next round of releases.
>
> Mark
>
>
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexander@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -----Original Message-----
> >> From: Mark Thomas <ma...@apache.org>
> >> Sent: Tuesday, January 10, 2023 8:23 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/01/2023 13:52, Christopher Schultz wrote:
> >>> Jon,
> >>>
> >>> On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>> Yes Chris, It's just for during startup. For a particular instance
> >>>> I would like to capture the Certificate Info and Truststore being
> >>>> used and pipe that into a separate log/txt file.
> >>> So it sounds like just dumping-out the configured certificates, etc.
> >>> to something like the debug log from Connector or SSLHostConfig or
> >>> similar would work?
> >>>
> >>> Or would you want that information available to the application so
> >>> you can log it in some very specific way? Note that you can already
> >>> get the SSLHostConfig info via JMX if you are willing to do that.
> >>
> >> How about something like this:
> >>
> >> 10-Jan-2023 14:21:07.951 INFO [main]
> >> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> >> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type
> >> [RSA] configured from [conf/localhost-rsa.jks] using alias [null] and
> >> with trust store [null]
> >>
> >> ?
> >>
> >> Mark
> >>
> >>>
> >>> -chris
> >>>
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Dream * Excel * Explore * Inspire
> >>>> Jon McAlexander
> >>>> Senior Infrastructure Engineer
> >>>> Asst. Vice President
> >>>> He/His
> >>>>
> >>>> Middleware Product Engineering
> >>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>
> >>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>> MAC: F4469-010
> >>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>
> >>>> jonmcalexander@wellsfargo.com
> >>>> This message may contain confidential and/or privileged information.
> >>>> If you are not the addressee or authorized to receive this for the
> >>>> addressee, you must not use, copy, disclose, or take any action
> >>>> based on this message or any information herein. If you have
> >>>> received this message in error, please advise the sender
> >>>> immediately by reply e-mail and delete this message. Thank you for
> your cooperation.
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>>> Sent: Monday, January 9, 2023 8:10 AM
> >>>>> To: users@tomcat.apache.org
> >>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>
> >>>>> Jon,
> >>>>>
> >>>>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>>>> Thanks for the info.
> >>>>>>
> >>>>>> In a nutshell I think the certpath,provider would be sufficient.
> >>>>>> I'm thinking that I can add this to the java options as
> >>>>>> -Djava.security.debug=ssl:certpath,provider however I don't know
> >>>>>> how to specify where to log the information.
> >>>>> java.security.debug is really a blunt instrument. It's unfortunate
> >>>>> that it's one of the only ways to get information out of the TLS
> >>>>> stack. It would have been great if Java had started using its own
> >>>>> logging system once it was introduced, but no.
> >>>>>
> >>>>> That debugging tool always dumps to stdout (or stderr?) and you
> >>>>> have very little control over where it goes.
> >>>>>
> >>>>> You would never want to use it for ongoing logging. It truly is
> >>>>> for
> >>>>> debugging-
> >>>>> only.
> >>>>>
> >>>>> The good news is that application code should be able to get the
> >>>>> information you are looking for.
> >>>>>
> >>>>> Oh, wait...
> >>>>>
> >>>>>> [...] I'm checking to see if there is any out-of-the-box option
> >>>>>> to capture in a log which SSL certificate and trust keystore is
> >>>>>> being used during startup?
> >>>>> What do you mean "during startup"? I originally read that as "for
> >>>>> incoming connections" thinking that you wanted to log which cert
> >>>>> was used for a particular request. But it sounds like maybe you
> >>>>> are asking for something to just be logged one-time during startup?
> >>>>>
> >>>>> -chris
> >>>>>
> >>>>>>
> >>>>>> Thanks,
> >>>>>>
> >>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>
> >>>>>> Middleware Product Engineering
> >>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>>>
> >>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>> MAC: F4469-010
> >>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>
> >>>>>> jonmcalexander@wellsfargo.com
> >>>>>> This message may contain confidential and/or privileged
> information.
> >>>>>> If you
> >>>>> are not the addressee or authorized to receive this for the
> >>>>> addressee, you must not use, copy, disclose, or take any action
> >>>>> based on this message or any information herein. If you have
> >>>>> received this message in error, please advise the sender
> >>>>> immediately by reply e-mail and delete this message. Thank you for
> >>>>> your cooperation.
> >>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>>>>> Sent: Friday, January 6, 2023 2:41 PM
> >>>>>>> To: users@tomcat.apache.org
> >>>>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>>>
> >>>>>>> Mark,
> >>>>>>>
> >>>>>>> On 1/6/23 15:00, Mark Thomas wrote:
> >>>>>>>> Hi Jon,
> >>>>>>>>
> >>>>>>>> In a word, no. Sorry.
> >>>>>>>>
> >>>>>>>> Some sort of info log message probably makes sense for this.
> >>>>>>>> SNI makes things a little more complicated but we should be
> >>>>>>>> able to do
> >>>>> something.
> >>>>>>>> What is the minimum info you'd like to see?
> >>>>>>>
> >>>>>>> How about adding a request attribute with some kind of
> >>>>>>> identifier (fpr?
> >>>>>>> serial-number?) in it and indicates at least which server-cert
> >>>>>>> was chosen.
> >>>>>>> Then it can trivially be added to e.g. access_log or even to
> >>>>>>> application code which wants to do custom logging.
> >>>>>>>
> >>>>>>> -chris
> >>>>>>>
> >>>>>>>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID
> >> wrote:
> >>>>>>>>> Good afternoon and Happy New Year,
> >>>>>>>>>
> >>>>>>>>> I know about the SSL debug logging, however, I'm checking to
> >>>>>>>>> see if there is any out-of-the-box option to capture in a log
> >>>>>>>>> which SSL certificate and trust keystore is being used during
> startup?
> >>>>>>>>>
> >>>>>>>>> Thanks,
> >>>>>>>>>
> >>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>>>>
> >>>>>>>>> Middleware Product Engineering Enterprise CIO | EAS |
> >>>>>>>>> Middleware | Infrastructure Solutions
> >>>>>>>>>
> >>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>>>>> MAC: F4469-010
> >>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>>
> >>
> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
> >>>>>>>>> This message may contain confidential and/or privileged
> >> information.
> >>>>>>>>> If you are not the addressee or authorized to receive this for
> >>>>>>>>> the addressee, you must not use, copy, disclose, or take any
> >>>>>>>>> action based on this message or any information herein. If you
> >>>>>>>>> have received this message in error, please advise the sender
> >>>>>>>>> immediately by reply e-mail and delete this message. Thank you
> >>>>>>>>> for
> >>>>> your cooperation.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> ---------------------------------------------------------------
> >>>>>>>> --
> >>>>>>>> ---
> >>>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>>>
> >>>>>>>
> >>>>>>> ----------------------------------------------------------------
> >>>>>>> --
> >>>>>>> --- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>
> >>>>>>
> >>>>>> -----------------------------------------------------------------
> >>>>>> --
> >>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>
> >>>>>
> >>>>> ------------------------------------------------------------------
> >>>>> --
> >>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>>> -------------------------------------------------------------------
> >>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>
> >>> --------------------------------------------------------------------
> >>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Mark Thomas <ma...@apache.org>.
On 08/02/2023 16:24, jonmcalexander@wellsfargo.com.INVALID wrote:
> Hi Mark,
>
> So, is this something that can/will be added in the future? I tested my thought of setting the java logging.properties to a specific file in the command line but it didn't do what I had hoped.
Already added. Will be in the next round of releases.
Mark
>
> Thanks,
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexander@wellsfargo.com
> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
>
>
>> -----Original Message-----
>> From: Mark Thomas <ma...@apache.org>
>> Sent: Tuesday, January 10, 2023 8:23 AM
>> To: users@tomcat.apache.org
>> Subject: Re: Basic SSL Certificate Usage logging
>>
>> On 10/01/2023 13:52, Christopher Schultz wrote:
>>> Jon,
>>>
>>> On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>> Yes Chris, It's just for during startup. For a particular instance I
>>>> would like to capture the Certificate Info and Truststore being used
>>>> and pipe that into a separate log/txt file.
>>> So it sounds like just dumping-out the configured certificates, etc.
>>> to something like the debug log from Connector or SSLHostConfig or
>>> similar would work?
>>>
>>> Or would you want that information available to the application so you
>>> can log it in some very specific way? Note that you can already get
>>> the SSLHostConfig info via JMX if you are willing to do that.
>>
>> How about something like this:
>>
>> 10-Jan-2023 14:21:07.951 INFO [main]
>> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
>> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type [RSA]
>> configured from [conf/localhost-rsa.jks] using alias [null] and with trust store
>> [null]
>>
>> ?
>>
>> Mark
>>
>>>
>>> -chris
>>>
>>>>
>>>> Thanks,
>>>>
>>>> Dream * Excel * Explore * Inspire
>>>> Jon McAlexander
>>>> Senior Infrastructure Engineer
>>>> Asst. Vice President
>>>> He/His
>>>>
>>>> Middleware Product Engineering
>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>
>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>> MAC: F4469-010
>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>
>>>> jonmcalexander@wellsfargo.com
>>>> This message may contain confidential and/or privileged information.
>>>> If you are not the addressee or authorized to receive this for the
>>>> addressee, you must not use, copy, disclose, or take any action based
>>>> on this message or any information herein. If you have received this
>>>> message in error, please advise the sender immediately by reply
>>>> e-mail and delete this message. Thank you for your cooperation.
>>>>
>>>>> -----Original Message-----
>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>>> Sent: Monday, January 9, 2023 8:10 AM
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>>
>>>>> Jon,
>>>>>
>>>>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>>> Thanks for the info.
>>>>>>
>>>>>> In a nutshell I think the certpath,provider would be sufficient.
>>>>>> I'm thinking that I can add this to the java options as
>>>>>> -Djava.security.debug=ssl:certpath,provider however I don't know
>>>>>> how to specify where to log the information.
>>>>> java.security.debug is really a blunt instrument. It's unfortunate
>>>>> that it's one of the only ways to get information out of the TLS
>>>>> stack. It would have been great if Java had started using its own
>>>>> logging system once it was introduced, but no.
>>>>>
>>>>> That debugging tool always dumps to stdout (or stderr?) and you have
>>>>> very little control over where it goes.
>>>>>
>>>>> You would never want to use it for ongoing logging. It truly is for
>>>>> debugging-
>>>>> only.
>>>>>
>>>>> The good news is that application code should be able to get the
>>>>> information you are looking for.
>>>>>
>>>>> Oh, wait...
>>>>>
>>>>>> [...] I'm checking to see if there is any out-of-the-box option to
>>>>>> capture in a log which SSL certificate and trust keystore is being
>>>>>> used during startup?
>>>>> What do you mean "during startup"? I originally read that as "for
>>>>> incoming connections" thinking that you wanted to log which cert was
>>>>> used for a particular request. But it sounds like maybe you are
>>>>> asking for something to just be logged one-time during startup?
>>>>>
>>>>> -chris
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Dream * Excel * Explore * Inspire
>>>>>> Jon McAlexander
>>>>>> Senior Infrastructure Engineer
>>>>>> Asst. Vice President
>>>>>> He/His
>>>>>>
>>>>>> Middleware Product Engineering
>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>>
>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>> MAC: F4469-010
>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>
>>>>>> jonmcalexander@wellsfargo.com
>>>>>> This message may contain confidential and/or privileged information.
>>>>>> If you
>>>>> are not the addressee or authorized to receive this for the
>>>>> addressee, you must not use, copy, disclose, or take any action
>>>>> based on this message or any information herein. If you have
>>>>> received this message in error, please advise the sender immediately
>>>>> by reply e-mail and delete this message. Thank you for your
>>>>> cooperation.
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>>>>> Sent: Friday, January 6, 2023 2:41 PM
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>>>>
>>>>>>> Mark,
>>>>>>>
>>>>>>> On 1/6/23 15:00, Mark Thomas wrote:
>>>>>>>> Hi Jon,
>>>>>>>>
>>>>>>>> In a word, no. Sorry.
>>>>>>>>
>>>>>>>> Some sort of info log message probably makes sense for this. SNI
>>>>>>>> makes things a little more complicated but we should be able to
>>>>>>>> do
>>>>> something.
>>>>>>>> What is the minimum info you'd like to see?
>>>>>>>
>>>>>>> How about adding a request attribute with some kind of identifier
>>>>>>> (fpr?
>>>>>>> serial-number?) in it and indicates at least which server-cert was
>>>>>>> chosen.
>>>>>>> Then it can trivially be added to e.g. access_log or even to
>>>>>>> application code which wants to do custom logging.
>>>>>>>
>>>>>>> -chris
>>>>>>>
>>>>>>>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID
>> wrote:
>>>>>>>>> Good afternoon and Happy New Year,
>>>>>>>>>
>>>>>>>>> I know about the SSL debug logging, however, I'm checking to see
>>>>>>>>> if there is any out-of-the-box option to capture in a log which
>>>>>>>>> SSL certificate and trust keystore is being used during startup?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
>>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
>>>>>>>>>
>>>>>>>>> Middleware Product Engineering
>>>>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>>>>>
>>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>>>>> MAC: F4469-010
>>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
>>>>>>>>> This message may contain confidential and/or privileged
>> information.
>>>>>>>>> If you are not the addressee or authorized to receive this for
>>>>>>>>> the addressee, you must not use, copy, disclose, or take any
>>>>>>>>> action based on this message or any information herein. If you
>>>>>>>>> have received this message in error, please advise the sender
>>>>>>>>> immediately by reply e-mail and delete this message. Thank you
>>>>>>>>> for
>>>>> your cooperation.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> -----------------------------------------------------------------
>>>>>>>> ---
>>>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------
>>>>>>> --- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------
>>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>
>>>>> --------------------------------------------------------------------
>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
Hi Mark,
So, is this something that can/will be added in the future? I tested my thought of setting the java logging.properties to a specific file in the command line but it didn't do what I had hoped.
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Tuesday, January 10, 2023 8:23 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> On 10/01/2023 13:52, Christopher Schultz wrote:
> > Jon,
> >
> > On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
> >> Yes Chris, It's just for during startup. For a particular instance I
> >> would like to capture the Certificate Info and Truststore being used
> >> and pipe that into a separate log/txt file.
> > So it sounds like just dumping-out the configured certificates, etc.
> > to something like the debug log from Connector or SSLHostConfig or
> > similar would work?
> >
> > Or would you want that information available to the application so you
> > can log it in some very specific way? Note that you can already get
> > the SSLHostConfig info via JMX if you are willing to do that.
>
> How about something like this:
>
> 10-Jan-2023 14:21:07.951 INFO [main]
> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type [RSA]
> configured from [conf/localhost-rsa.jks] using alias [null] and with trust store
> [null]
>
> ?
>
> Mark
>
> >
> > -chris
> >
> >>
> >> Thanks,
> >>
> >> Dream * Excel * Explore * Inspire
> >> Jon McAlexander
> >> Senior Infrastructure Engineer
> >> Asst. Vice President
> >> He/His
> >>
> >> Middleware Product Engineering
> >> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>
> >> 8080 Cobblestone Rd | Urbandale, IA 50322
> >> MAC: F4469-010
> >> Tel 515-988-2508 | Cell 515-988-2508
> >>
> >> jonmcalexander@wellsfargo.com
> >> This message may contain confidential and/or privileged information.
> >> If you are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>
> >>> -----Original Message-----
> >>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>> Sent: Monday, January 9, 2023 8:10 AM
> >>> To: users@tomcat.apache.org
> >>> Subject: Re: Basic SSL Certificate Usage logging
> >>>
> >>> Jon,
> >>>
> >>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>> Thanks for the info.
> >>>>
> >>>> In a nutshell I think the certpath,provider would be sufficient.
> >>>> I'm thinking that I can add this to the java options as
> >>>> -Djava.security.debug=ssl:certpath,provider however I don't know
> >>>> how to specify where to log the information.
> >>> java.security.debug is really a blunt instrument. It's unfortunate
> >>> that it's one of the only ways to get information out of the TLS
> >>> stack. It would have been great if Java had started using its own
> >>> logging system once it was introduced, but no.
> >>>
> >>> That debugging tool always dumps to stdout (or stderr?) and you have
> >>> very little control over where it goes.
> >>>
> >>> You would never want to use it for ongoing logging. It truly is for
> >>> debugging-
> >>> only.
> >>>
> >>> The good news is that application code should be able to get the
> >>> information you are looking for.
> >>>
> >>> Oh, wait...
> >>>
> >>>> [...] I'm checking to see if there is any out-of-the-box option to
> >>>> capture in a log which SSL certificate and trust keystore is being
> >>>> used during startup?
> >>> What do you mean "during startup"? I originally read that as "for
> >>> incoming connections" thinking that you wanted to log which cert was
> >>> used for a particular request. But it sounds like maybe you are
> >>> asking for something to just be logged one-time during startup?
> >>>
> >>> -chris
> >>>
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Dream * Excel * Explore * Inspire
> >>>> Jon McAlexander
> >>>> Senior Infrastructure Engineer
> >>>> Asst. Vice President
> >>>> He/His
> >>>>
> >>>> Middleware Product Engineering
> >>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>
> >>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>> MAC: F4469-010
> >>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>
> >>>> jonmcalexander@wellsfargo.com
> >>>> This message may contain confidential and/or privileged information.
> >>>> If you
> >>> are not the addressee or authorized to receive this for the
> >>> addressee, you must not use, copy, disclose, or take any action
> >>> based on this message or any information herein. If you have
> >>> received this message in error, please advise the sender immediately
> >>> by reply e-mail and delete this message. Thank you for your
> >>> cooperation.
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>>> Sent: Friday, January 6, 2023 2:41 PM
> >>>>> To: users@tomcat.apache.org
> >>>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>>
> >>>>> Mark,
> >>>>>
> >>>>> On 1/6/23 15:00, Mark Thomas wrote:
> >>>>>> Hi Jon,
> >>>>>>
> >>>>>> In a word, no. Sorry.
> >>>>>>
> >>>>>> Some sort of info log message probably makes sense for this. SNI
> >>>>>> makes things a little more complicated but we should be able to
> >>>>>> do
> >>> something.
> >>>>>> What is the minimum info you'd like to see?
> >>>>>
> >>>>> How about adding a request attribute with some kind of identifier
> >>>>> (fpr?
> >>>>> serial-number?) in it and indicates at least which server-cert was
> >>>>> chosen.
> >>>>> Then it can trivially be added to e.g. access_log or even to
> >>>>> application code which wants to do custom logging.
> >>>>>
> >>>>> -chris
> >>>>>
> >>>>>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID
> wrote:
> >>>>>>> Good afternoon and Happy New Year,
> >>>>>>>
> >>>>>>> I know about the SSL debug logging, however, I'm checking to see
> >>>>>>> if there is any out-of-the-box option to capture in a log which
> >>>>>>> SSL certificate and trust keystore is being used during startup?
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>>
> >>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >>>>>>> Infrastructure Engineer Asst. Vice President He/His
> >>>>>>>
> >>>>>>> Middleware Product Engineering
> >>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>>>>
> >>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>>>>> MAC: F4469-010
> >>>>>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>>>>
> >>>>>>>
> >>>>>
> >>>
> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
> >>>>>>> This message may contain confidential and/or privileged
> information.
> >>>>>>> If you are not the addressee or authorized to receive this for
> >>>>>>> the addressee, you must not use, copy, disclose, or take any
> >>>>>>> action based on this message or any information herein. If you
> >>>>>>> have received this message in error, please advise the sender
> >>>>>>> immediately by reply e-mail and delete this message. Thank you
> >>>>>>> for
> >>> your cooperation.
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> -----------------------------------------------------------------
> >>>>>> ---
> >>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>
> >>>>>
> >>>>> ------------------------------------------------------------------
> >>>>> --- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>>> -------------------------------------------------------------------
> >>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>
> >>> --------------------------------------------------------------------
> >>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Mark Thomas <ma...@apache.org>.
On 10/01/2023 13:52, Christopher Schultz wrote:
> Jon,
>
> On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
>> Yes Chris, It's just for during startup. For a particular instance I
>> would like to capture the Certificate Info and Truststore being used
>> and pipe that into a separate log/txt file.
> So it sounds like just dumping-out the configured certificates, etc. to
> something like the debug log from Connector or SSLHostConfig or similar
> would work?
>
> Or would you want that information available to the application so you
> can log it in some very specific way? Note that you can already get the
> SSLHostConfig info via JMX if you are willing to do that.
How about something like this:
10-Jan-2023 14:21:07.951 INFO [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
[https-jsse-nio-8443], TLS virtual host [_default_], Certificate type
[RSA] configured from [conf/localhost-rsa.jks] using alias [null] and
with trust store [null]
?
Mark
>
> -chris
>
>>
>> Thanks,
>>
>> Dream * Excel * Explore * Inspire
>> Jon McAlexander
>> Senior Infrastructure Engineer
>> Asst. Vice President
>> He/His
>>
>> Middleware Product Engineering
>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>
>> 8080 Cobblestone Rd | Urbandale, IA 50322
>> MAC: F4469-010
>> Tel 515-988-2508 | Cell 515-988-2508
>>
>> jonmcalexander@wellsfargo.com
>> This message may contain confidential and/or privileged information.
>> If you are not the addressee or authorized to receive this for the
>> addressee, you must not use, copy, disclose, or take any action based
>> on this message or any information herein. If you have received this
>> message in error, please advise the sender immediately by reply e-mail
>> and delete this message. Thank you for your cooperation.
>>
>>> -----Original Message-----
>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>> Sent: Monday, January 9, 2023 8:10 AM
>>> To: users@tomcat.apache.org
>>> Subject: Re: Basic SSL Certificate Usage logging
>>>
>>> Jon,
>>>
>>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>> Thanks for the info.
>>>>
>>>> In a nutshell I think the certpath,provider would be sufficient. I'm
>>>> thinking that I can add this to the java options as
>>>> -Djava.security.debug=ssl:certpath,provider however I don't know how
>>>> to specify where to log the information.
>>> java.security.debug is really a blunt instrument. It's unfortunate
>>> that it's one
>>> of the only ways to get information out of the TLS stack. It would
>>> have been
>>> great if Java had started using its own logging system once it was
>>> introduced,
>>> but no.
>>>
>>> That debugging tool always dumps to stdout (or stderr?) and you have
>>> very
>>> little control over where it goes.
>>>
>>> You would never want to use it for ongoing logging. It truly is for
>>> debugging-
>>> only.
>>>
>>> The good news is that application code should be able to get the
>>> information
>>> you are looking for.
>>>
>>> Oh, wait...
>>>
>>>> [...] I'm checking to see if there is any out-of-the-box option to
>>>> capture in a log which SSL certificate and trust keystore is being
>>>> used during startup?
>>> What do you mean "during startup"? I originally read that as "for
>>> incoming
>>> connections" thinking that you wanted to log which cert was used for a
>>> particular request. But it sounds like maybe you are asking for
>>> something to
>>> just be logged one-time during startup?
>>>
>>> -chris
>>>
>>>>
>>>> Thanks,
>>>>
>>>> Dream * Excel * Explore * Inspire
>>>> Jon McAlexander
>>>> Senior Infrastructure Engineer
>>>> Asst. Vice President
>>>> He/His
>>>>
>>>> Middleware Product Engineering
>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>
>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>> MAC: F4469-010
>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>
>>>> jonmcalexander@wellsfargo.com
>>>> This message may contain confidential and/or privileged information.
>>>> If you
>>> are not the addressee or authorized to receive this for the
>>> addressee, you
>>> must not use, copy, disclose, or take any action based on this
>>> message or any
>>> information herein. If you have received this message in error,
>>> please advise
>>> the sender immediately by reply e-mail and delete this message. Thank
>>> you
>>> for your cooperation.
>>>>
>>>>> -----Original Message-----
>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>>> Sent: Friday, January 6, 2023 2:41 PM
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>>
>>>>> Mark,
>>>>>
>>>>> On 1/6/23 15:00, Mark Thomas wrote:
>>>>>> Hi Jon,
>>>>>>
>>>>>> In a word, no. Sorry.
>>>>>>
>>>>>> Some sort of info log message probably makes sense for this. SNI
>>>>>> makes things a little more complicated but we should be able to do
>>> something.
>>>>>> What is the minimum info you'd like to see?
>>>>>
>>>>> How about adding a request attribute with some kind of identifier
>>>>> (fpr?
>>>>> serial-number?) in it and indicates at least which server-cert was
>>>>> chosen.
>>>>> Then it can trivially be added to e.g. access_log or even to
>>>>> application code which wants to do custom logging.
>>>>>
>>>>> -chris
>>>>>
>>>>>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>>>> Good afternoon and Happy New Year,
>>>>>>>
>>>>>>> I know about the SSL debug logging, however, I'm checking to see if
>>>>>>> there is any out-of-the-box option to capture in a log which SSL
>>>>>>> certificate and trust keystore is being used during startup?
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Dream * Excel * Explore * Inspire
>>>>>>> Jon McAlexander
>>>>>>> Senior Infrastructure Engineer
>>>>>>> Asst. Vice President
>>>>>>> He/His
>>>>>>>
>>>>>>> Middleware Product Engineering
>>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>>>
>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>>> MAC: F4469-010
>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>>
>>>>>>>
>>>>>
>>> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
>>>>>>> This message may contain confidential and/or privileged information.
>>>>>>> If you are not the addressee or authorized to receive this for the
>>>>>>> addressee, you must not use, copy, disclose, or take any action
>>>>>>> based on this message or any information herein. If you have
>>>>>>> received this message in error, please advise the sender
>>>>>>> immediately by reply e-mail and delete this message. Thank you for
>>> your cooperation.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --------------------------------------------------------------------
>>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jon,
On 1/9/23 18:17, jonmcalexander@wellsfargo.com.INVALID wrote:
> Yes Chris, It's just for during startup. For a particular instance I
> would like to capture the Certificate Info and Truststore being used
> and pipe that into a separate log/txt file.
So it sounds like just dumping-out the configured certificates, etc. to
something like the debug log from Connector or SSLHostConfig or similar
would work?
Or would you want that information available to the application so you
can log it in some very specific way? Note that you can already get the
SSLHostConfig info via JMX if you are willing to do that.
-chris
>
> Thanks,
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexander@wellsfargo.com
> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
>
>> -----Original Message-----
>> From: Christopher Schultz <ch...@christopherschultz.net>
>> Sent: Monday, January 9, 2023 8:10 AM
>> To: users@tomcat.apache.org
>> Subject: Re: Basic SSL Certificate Usage logging
>>
>> Jon,
>>
>> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
>>> Thanks for the info.
>>>
>>> In a nutshell I think the certpath,provider would be sufficient. I'm
>>> thinking that I can add this to the java options as
>>> -Djava.security.debug=ssl:certpath,provider however I don't know how
>>> to specify where to log the information.
>> java.security.debug is really a blunt instrument. It's unfortunate that it's one
>> of the only ways to get information out of the TLS stack. It would have been
>> great if Java had started using its own logging system once it was introduced,
>> but no.
>>
>> That debugging tool always dumps to stdout (or stderr?) and you have very
>> little control over where it goes.
>>
>> You would never want to use it for ongoing logging. It truly is for debugging-
>> only.
>>
>> The good news is that application code should be able to get the information
>> you are looking for.
>>
>> Oh, wait...
>>
>>> [...] I'm checking to see if there is any out-of-the-box option to
>>> capture in a log which SSL certificate and trust keystore is being
>>> used during startup?
>> What do you mean "during startup"? I originally read that as "for incoming
>> connections" thinking that you wanted to log which cert was used for a
>> particular request. But it sounds like maybe you are asking for something to
>> just be logged one-time during startup?
>>
>> -chris
>>
>>>
>>> Thanks,
>>>
>>> Dream * Excel * Explore * Inspire
>>> Jon McAlexander
>>> Senior Infrastructure Engineer
>>> Asst. Vice President
>>> He/His
>>>
>>> Middleware Product Engineering
>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>
>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>> MAC: F4469-010
>>> Tel 515-988-2508 | Cell 515-988-2508
>>>
>>> jonmcalexander@wellsfargo.com
>>> This message may contain confidential and/or privileged information. If you
>> are not the addressee or authorized to receive this for the addressee, you
>> must not use, copy, disclose, or take any action based on this message or any
>> information herein. If you have received this message in error, please advise
>> the sender immediately by reply e-mail and delete this message. Thank you
>> for your cooperation.
>>>
>>>> -----Original Message-----
>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>> Sent: Friday, January 6, 2023 2:41 PM
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: Basic SSL Certificate Usage logging
>>>>
>>>> Mark,
>>>>
>>>> On 1/6/23 15:00, Mark Thomas wrote:
>>>>> Hi Jon,
>>>>>
>>>>> In a word, no. Sorry.
>>>>>
>>>>> Some sort of info log message probably makes sense for this. SNI
>>>>> makes things a little more complicated but we should be able to do
>> something.
>>>>> What is the minimum info you'd like to see?
>>>>
>>>> How about adding a request attribute with some kind of identifier (fpr?
>>>> serial-number?) in it and indicates at least which server-cert was chosen.
>>>> Then it can trivially be added to e.g. access_log or even to
>>>> application code which wants to do custom logging.
>>>>
>>>> -chris
>>>>
>>>>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>>> Good afternoon and Happy New Year,
>>>>>>
>>>>>> I know about the SSL debug logging, however, I'm checking to see if
>>>>>> there is any out-of-the-box option to capture in a log which SSL
>>>>>> certificate and trust keystore is being used during startup?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Dream * Excel * Explore * Inspire
>>>>>> Jon McAlexander
>>>>>> Senior Infrastructure Engineer
>>>>>> Asst. Vice President
>>>>>> He/His
>>>>>>
>>>>>> Middleware Product Engineering
>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>>
>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>> MAC: F4469-010
>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>
>>>>>>
>>>>
>> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
>>>>>> This message may contain confidential and/or privileged information.
>>>>>> If you are not the addressee or authorized to receive this for the
>>>>>> addressee, you must not use, copy, disclose, or take any action
>>>>>> based on this message or any information herein. If you have
>>>>>> received this message in error, please advise the sender
>>>>>> immediately by reply e-mail and delete this message. Thank you for
>> your cooperation.
>>>>>>
>>>>>>
>>>>>
>>>>> --------------------------------------------------------------------
>>>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
Yes Chris, It's just for during startup. For a particular instance I would like to capture the Certificate Info and Truststore being used and pipe that into a separate log/txt file.
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Monday, January 9, 2023 8:10 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> Jon,
>
> On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
> > Thanks for the info.
> >
> > In a nutshell I think the certpath,provider would be sufficient. I'm
> > thinking that I can add this to the java options as
> > -Djava.security.debug=ssl:certpath,provider however I don't know how
> > to specify where to log the information.
> java.security.debug is really a blunt instrument. It's unfortunate that it's one
> of the only ways to get information out of the TLS stack. It would have been
> great if Java had started using its own logging system once it was introduced,
> but no.
>
> That debugging tool always dumps to stdout (or stderr?) and you have very
> little control over where it goes.
>
> You would never want to use it for ongoing logging. It truly is for debugging-
> only.
>
> The good news is that application code should be able to get the information
> you are looking for.
>
> Oh, wait...
>
> > [...] I'm checking to see if there is any out-of-the-box option to
> > capture in a log which SSL certificate and trust keystore is being
> > used during startup?
> What do you mean "during startup"? I originally read that as "for incoming
> connections" thinking that you wanted to log which cert was used for a
> particular request. But it sounds like maybe you are asking for something to
> just be logged one-time during startup?
>
> -chris
>
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexander@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >> -----Original Message-----
> >> From: Christopher Schultz <ch...@christopherschultz.net>
> >> Sent: Friday, January 6, 2023 2:41 PM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> Mark,
> >>
> >> On 1/6/23 15:00, Mark Thomas wrote:
> >>> Hi Jon,
> >>>
> >>> In a word, no. Sorry.
> >>>
> >>> Some sort of info log message probably makes sense for this. SNI
> >>> makes things a little more complicated but we should be able to do
> something.
> >>> What is the minimum info you'd like to see?
> >>
> >> How about adding a request attribute with some kind of identifier (fpr?
> >> serial-number?) in it and indicates at least which server-cert was chosen.
> >> Then it can trivially be added to e.g. access_log or even to
> >> application code which wants to do custom logging.
> >>
> >> -chris
> >>
> >>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>> Good afternoon and Happy New Year,
> >>>>
> >>>> I know about the SSL debug logging, however, I'm checking to see if
> >>>> there is any out-of-the-box option to capture in a log which SSL
> >>>> certificate and trust keystore is being used during startup?
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Dream * Excel * Explore * Inspire
> >>>> Jon McAlexander
> >>>> Senior Infrastructure Engineer
> >>>> Asst. Vice President
> >>>> He/His
> >>>>
> >>>> Middleware Product Engineering
> >>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>
> >>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>> MAC: F4469-010
> >>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>
> >>>>
> >>
> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
> >>>> This message may contain confidential and/or privileged information.
> >>>> If you are not the addressee or authorized to receive this for the
> >>>> addressee, you must not use, copy, disclose, or take any action
> >>>> based on this message or any information herein. If you have
> >>>> received this message in error, please advise the sender
> >>>> immediately by reply e-mail and delete this message. Thank you for
> your cooperation.
> >>>>
> >>>>
> >>>
> >>> --------------------------------------------------------------------
> >>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jon,
On 1/6/23 15:53, jonmcalexander@wellsfargo.com.INVALID wrote:
> Thanks for the info.
>
> In a nutshell I think the certpath,provider would be sufficient. I'm
> thinking that I can add this to the java options as
> -Djava.security.debug=ssl:certpath,provider however I don't know how
> to specify where to log the information.
java.security.debug is really a blunt instrument. It's unfortunate that
it's one of the only ways to get information out of the TLS stack. It
would have been great if Java had started using its own logging system
once it was introduced, but no.
That debugging tool always dumps to stdout (or stderr?) and you have
very little control over where it goes.
You would never want to use it for ongoing logging. It truly is for
debugging-only.
The good news is that application code should be able to get the
information you are looking for.
Oh, wait...
> [...] I'm checking to see if there is any out-of-the-box option to
> capture in a log which SSL certificate and trust keystore is being
> used during startup?
What do you mean "during startup"? I originally read that as "for
incoming connections" thinking that you wanted to log which cert was
used for a particular request. But it sounds like maybe you are asking
for something to just be logged one-time during startup?
-chris
>
> Thanks,
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexander@wellsfargo.com
> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
>
>> -----Original Message-----
>> From: Christopher Schultz <ch...@christopherschultz.net>
>> Sent: Friday, January 6, 2023 2:41 PM
>> To: users@tomcat.apache.org
>> Subject: Re: Basic SSL Certificate Usage logging
>>
>> Mark,
>>
>> On 1/6/23 15:00, Mark Thomas wrote:
>>> Hi Jon,
>>>
>>> In a word, no. Sorry.
>>>
>>> Some sort of info log message probably makes sense for this. SNI makes
>>> things a little more complicated but we should be able to do something.
>>> What is the minimum info you'd like to see?
>>
>> How about adding a request attribute with some kind of identifier (fpr?
>> serial-number?) in it and indicates at least which server-cert was chosen.
>> Then it can trivially be added to e.g. access_log or even to application code
>> which wants to do custom logging.
>>
>> -chris
>>
>>> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>> Good afternoon and Happy New Year,
>>>>
>>>> I know about the SSL debug logging, however, I'm checking to see if
>>>> there is any out-of-the-box option to capture in a log which SSL
>>>> certificate and trust keystore is being used during startup?
>>>>
>>>> Thanks,
>>>>
>>>> Dream * Excel * Explore * Inspire
>>>> Jon McAlexander
>>>> Senior Infrastructure Engineer
>>>> Asst. Vice President
>>>> He/His
>>>>
>>>> Middleware Product Engineering
>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>
>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>> MAC: F4469-010
>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>
>>>>
>> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
>>>> This message may contain confidential and/or privileged information.
>>>> If you are not the addressee or authorized to receive this for the
>>>> addressee, you must not use, copy, disclose, or take any action based
>>>> on this message or any information herein. If you have received this
>>>> message in error, please advise the sender immediately by reply
>>>> e-mail and delete this message. Thank you for your cooperation.
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic SSL Certificate Usage logging
Posted by jo...@wellsfargo.com.INVALID.
Hi Mark,
Thanks for the info.
In a nutshell I think the certpath,provider would be sufficient. I'm thinking that I can add this to the java options as -Djava.security.debug=ssl:certpath,provider however I don't know how to specify where to log the information.
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Friday, January 6, 2023 2:41 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
>
> Mark,
>
> On 1/6/23 15:00, Mark Thomas wrote:
> > Hi Jon,
> >
> > In a word, no. Sorry.
> >
> > Some sort of info log message probably makes sense for this. SNI makes
> > things a little more complicated but we should be able to do something.
> > What is the minimum info you'd like to see?
>
> How about adding a request attribute with some kind of identifier (fpr?
> serial-number?) in it and indicates at least which server-cert was chosen.
> Then it can trivially be added to e.g. access_log or even to application code
> which wants to do custom logging.
>
> -chris
>
> > On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID wrote:
> >> Good afternoon and Happy New Year,
> >>
> >> I know about the SSL debug logging, however, I'm checking to see if
> >> there is any out-of-the-box option to capture in a log which SSL
> >> certificate and trust keystore is being used during startup?
> >>
> >> Thanks,
> >>
> >> Dream * Excel * Explore * Inspire
> >> Jon McAlexander
> >> Senior Infrastructure Engineer
> >> Asst. Vice President
> >> He/His
> >>
> >> Middleware Product Engineering
> >> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>
> >> 8080 Cobblestone Rd | Urbandale, IA 50322
> >> MAC: F4469-010
> >> Tel 515-988-2508 | Cell 515-988-2508
> >>
> >>
> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
> >> This message may contain confidential and/or privileged information.
> >> If you are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 1/6/23 15:00, Mark Thomas wrote:
> Hi Jon,
>
> In a word, no. Sorry.
>
> Some sort of info log message probably makes sense for this. SNI makes
> things a little more complicated but we should be able to do something.
> What is the minimum info you'd like to see?
How about adding a request attribute with some kind of identifier (fpr?
serial-number?) in it and indicates at least which server-cert was
chosen. Then it can trivially be added to e.g. access_log or even to
application code which wants to do custom logging.
-chris
> On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID wrote:
>> Good afternoon and Happy New Year,
>>
>> I know about the SSL debug logging, however, I'm checking to see if
>> there is any out-of-the-box option to capture in a log which SSL
>> certificate and trust keystore is being used during startup?
>>
>> Thanks,
>>
>> Dream * Excel * Explore * Inspire
>> Jon McAlexander
>> Senior Infrastructure Engineer
>> Asst. Vice President
>> He/His
>>
>> Middleware Product Engineering
>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>
>> 8080 Cobblestone Rd | Urbandale, IA 50322
>> MAC: F4469-010
>> Tel 515-988-2508 | Cell 515-988-2508
>>
>> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
>> This message may contain confidential and/or privileged information.
>> If you are not the addressee or authorized to receive this for the
>> addressee, you must not use, copy, disclose, or take any action based
>> on this message or any information herein. If you have received this
>> message in error, please advise the sender immediately by reply e-mail
>> and delete this message. Thank you for your cooperation.
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic SSL Certificate Usage logging
Posted by Mark Thomas <ma...@apache.org>.
Hi Jon,
In a word, no. Sorry.
Some sort of info log message probably makes sense for this. SNI makes
things a little more complicated but we should be able to do something.
What is the minimum info you'd like to see?
Mark
On 06/01/2023 18:52, jonmcalexander@wellsfargo.com.INVALID wrote:
> Good afternoon and Happy New Year,
>
> I know about the SSL debug logging, however, I'm checking to see if there is any out-of-the-box option to capture in a log which SSL certificate and trust keystore is being used during startup?
>
> Thanks,
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org