Re: Logging TLS Session Failures
If you are using JSSE which you mentioned in earlier post, you probably can only enable debug for all or specially one -Djavax.net.debug=ssl:record or -Djavax.net.debug=ssl:handshake - but it will log all sessions You could try to register a customized SSL socket factory in JSSE, you may extend the default sun impl to overwrite the method, catch the exception and log the failure, and throw it. 2017-03-09 20:04 GMT+08:00 Durga Srinivasu Karuturi < durgasriniv...@gmail.com>: > Our application meaning on RHEL machine within JVM with embedded tomcat > (with single web-app) > > Okay, tomcat may not have this information on handshake failures. > > I need to see little higher level for capturing these failures. > > Thanks for answers so far. > > Thanks, > Durga Srinivasu > > On Thu, Mar 9, 2017 at 3:44 PM, André Warnier (tomcat)> wrote: > > > On 09.03.2017 09:34, Durga Srinivasu Karuturi wrote: > > > >> This is one of the requirement from FIPS/CC certification. > >> > >> Thanks, > >> Durga Srinivasu > >> > >> > > Durga, > > > > I believe that in your original post, you said : > > "We have a requirement in our application to log all TLS session > failures." > > > > You should probably have another look a the precise requirements, and the > > exact definition of "our application". > > Because it may be that the requirements are wrong, as far as you are > > concerned. > > > > It depends on what is included in "our application". > > In the java servlet container (like Tomcat) terminology, an "application" > > is a webapp. > > A webapp runs inside a servlet container. > > The servlet container (here Tomcat) runs inside a java JVM. > > The java JVM runs inside an OS. > > The OS runs inside a host. > > > > In that hierarchy, a webapp only sees a request, when the servlet > > container has received this request on one of its ports, and "delegates" > > the request to the webapp. > > By that time, the webapp does not even know through which interface the > > request came in, nor if that interface required HTTP, HTTPS or whatever > > other communications protocol. > > And if a TLS connection from a browser failed, the webapp is not even > > called, so it does not know anything about it. > > Of course the webapp cannot log a failure, if it is never called when > that > > failure happens. > > > > To move one level up : if a TLS connection from a browser fails, Tomcat > > probably never even sees that (because the connection never reaches > > Tomcat). So Tomcat cannot log this failure either. Tomcat is just telling > > some underlying layer of software (in the JVM, in the OS, or in some > > external library), what kind of connections to accept. But it does not > > manage these connections, it just "gets" a connection when it succeeds. > > > > So if you (your team, your company) is responsible for providing the > whole > > service, including the host, the OS, the JVM, the servlet container, and > > the webapp inside it, then the requirement may make sense. And then you > > have to look for the component, at the right level, which can provide > that > > information. (But it is not the webapp, and it is not Tomcat). > > > > At the other extreme, if you are providing only the web application, then > > the requirement does not make sense /for you/, because it is impossible. > > It is not that it does not make sense in general, but "as part of the > > webapp" it does not make sense. > > > > And that is what Christopher is also telling you (in a lot less words). > > > > > > > > On Wed, Mar 8, 2017 at 11:03 PM, Christopher Schultz < > >> ch...@christopherschultz.net> wrote: > >> > >> -BEGIN PGP SIGNED MESSAGE- > >>> Hash: SHA256 > >>> > >>> Durga, > >>> > >>> On 3/8/17 10:02 AM, Durga Srinivasu Karuturi wrote: > >>> > We are using JSSE only not APR. Looking for handshake failures. > > Yes, using JSSE SSL debug, we are able to get all handshake > (-Djavax.net.debug=ssl:handshake) logs including success cases. > These are still quite bit expense logs and meant for debug > purposes. As you said it might impact performance that's the > reason, trying for any other optimal solution here. > > >>> > >>> I know of no way to be notified about handshake failures on the server > >>> side. You may not be able to fulfill this requirement if using Java > >>> for your crypto. > >>> > >>> Honestly, I'm not sure why you care about failed TLS handshakes. Are > >>> you trying to implement a NIDS in your application? This is > >>> better-handled by a network component specifically-designed for this > >>> kind of thing. > >>> > >>> - -chris > >>> -BEGIN PGP SIGNATURE- > >>> Comment: GPGTools - http://gpgtools.org > >>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > >>> > >>> iQIcBAEBCAAGBQJYwEBVAAoJEBzwKT+lPKRYHzkP/1O2jPMu6Z9MBdnCF6LD7FQl > >>> LMWA6jmO2YjmZFPtJykyUXHuL3beBk/+5cPV275ZApp1brJmmqnxR68P4ZuedOwY > >>>
Tomcat upgrade from 7 to latest 8
Hello All, I am just trying upgrade tomcat 7 to latest GA 8 for my application, I am seeing quite lots of change in web dav functionality. The org.apache.naming.resources.ProxyDirContext do not exists do anybody know where I can find the alternative? in the past we got use resource to lookup something but now is not this one, can anybody know any doc? Jammy
Re: How-to disable SSL V3 on Tomcat 6.0.18.0
Hello Jason, Chris, Thanks for you answer and replying. I actually already tired that solution linked in the page https://access.redhat.com/solutions/1232233. but it does not work at all. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocols = TLSv1,TLSv1.1,TLSv1.2 / Yes, this is common problem whatever the tomcat version is, SSL V3 is not safe any more, however, newer tomcat has ready configuration/solution for disable V3. since I am still in old version so I am looking for solution for version Tomcat/6.0.18. but no good luck until now. 2015-01-30 22:28 GMT+08:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/30/15 4:32 AM, Jason Y wrote: Please refer to https://access.redhat.com/solutions/1232233 This link is /slightly/ out of date, in that it is missing more-recent information (i.e. support for TLSv1.1 and TLSv1.2 in tcnative versions after 1.1.21. By the way, why would you disable SSL? What is your current problem? I may have the same problem with tomcat 7.0.55... https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUy5T+AAoJEBzwKT+lPKRYdBEQALUAXjY5wZHglrUU7vVQ00qd I1vdAhY5X6VXhfesK+cHYFdzIkedq15O+2J0MNY5G+SivUPXvWw1xd2VIflpsfCp VBf6/d3qHVRwmyAdYHWRtP6CRyWfvYY24YO/UO5EuD4Uellrr5DVEeZvfMnyuZJf IqnZ4NphqVNtar+EUkZ5FH1TyiVVDGmReZcEtLEA8Y2WJGUzcloALRoUMq8dmPQJ 4u38hDH/K0CpTsoxgQQJBtppFxxbK6c4klsTQO/eWZohSngL8JF0jPKiYjr3RFV6 4bT/2DNaoTENUiB8+9qLiGdWhRUofs8qM2/WXo4/Z4eekMSaqFCtRtW5gfelgIhn D750yqJZtycz+7X+jpnM2724SE3cPc2DxCXZ4mYGG2bH+LAi2bUOBkJYnhUbNpUB mtEkePXFgBjl4luP57w0+hIohH09q5E6a4206uQzN+0+MFgVtWu3498Ys9OSBO1q fMaiOk1vvcH3MELuOnseyKA3YyR2AppttQHp+6YJ7YePNx3EuewAoOEBLo2hP5tF zH4Uu1cUSRe/HSdsnwglHw/xzE9QOn5bc6s5lne0Y9E+8+CP+9cJcFV7D6dA6fDB ul0cuFbIoyHu2VhUmtnDvuxNS6/xgTy3Nioc0G6jdOTaqR7AxhQx/vyaruN+dGK+ w1vZbFCCmCe2toKLWdPy =D+1m -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How-to disable SSL V3 on Tomcat 6.0.18.0
Hello team, Do everybody knows how-to disable SSL v3 in older tomcat version, I have tried to variety solution including sslProtocols or sslEnabledProtocols but it both did not work well, the Firefox I am using to test is only select TLS 1 and result is that I were not able to access the site. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocols = TLSv1,TLSv1.1,TLSv1.2 keystoreFile=keystore.jks keystorePass=a123 keyAlias=sslkey / Below is the server information: Server version: Apache Tomcat/6.0.18 Server built: Jul 22 2008 02:00:36 Server number: 6.0.18.0 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.6.0-b105 JVM Vendor: Sun Microsystems Inc Thanks
Re: How-to disable SSL V3 on Tomcat 6.0.18.0
Hello Chuck, Thanks for replying, I understood this is old, our product has already upgraded to latest version, but somehow, some of our users are still in such old stage, they do not plan uptake now but they want disable SSL V3 as everybody know this is big security vulnerability. *so now the important thing is how I can disable SSL V3 on Tomcat 6.0.18.0? I cannot find the solution* Jammy 2015-01-29 22:00 GMT+08:00 Caldarale, Charles R chuck.caldar...@unisys.com : From: Jammy Chen [mailto:jamm...@gmail.com] Subject: How-to disable SSL V3 on Tomcat 6.0.18.0 Do everybody knows how-to disable SSL v3 in older tomcat version Server version: Apache Tomcat/6.0.18 Server built: Jul 22 2008 02:00:36 Yes - move up to a current level and read the docs. Seriously, if you're using a Tomcat of that vintage (this one is more than 6.5 years old), you have a lot more security issues to worry about than SSLv3. It's irresponsible not to upgrade. OS Name:Windows 2003 A few months from end-of-life. JVM Version:1.6.0-b105 Two years past end-of-life. Is there a pattern here? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org