Re: Logging TLS Session Failures

[Jammy Chen]

If you are using JSSE which you mentioned in earlier post, you probably can
only enable debug for all or specially one
-Djavax.net.debug=ssl:record or -Djavax.net.debug=ssl:handshake - but it
will log all sessions

You could try to register a customized SSL socket factory in JSSE, you may
extend the default sun impl to overwrite the method, catch the exception
and log the failure, and throw it.

2017-03-09 20:04 GMT+08:00 Durga Srinivasu Karuturi <
durgasriniv...@gmail.com>:

> Our application meaning on RHEL machine within JVM with embedded tomcat
> (with single web-app)
>
> Okay, tomcat may not have this information on handshake failures.
>
> I need to see little higher level for capturing these failures.
>
> Thanks for answers so far.
>
> Thanks,
> Durga Srinivasu
>
> On Thu, Mar 9, 2017 at 3:44 PM, André Warnier (tomcat) 
> wrote:
>
> > On 09.03.2017 09:34, Durga Srinivasu Karuturi wrote:
> >
> >> This is one of the requirement from FIPS/CC certification.
> >>
> >> Thanks,
> >> Durga Srinivasu
> >>
> >>
> > Durga,
> >
> > I believe that in your original post, you said :
> > "We have a requirement in our application to log all TLS session
> failures."
> >
> > You should probably have another look a the precise requirements, and the
> > exact definition of "our application".
> > Because it may be that the requirements are wrong, as far as you are
> > concerned.
> >
> > It depends on what is included in "our application".
> > In the java servlet container (like Tomcat) terminology, an "application"
> > is a webapp.
> > A webapp runs inside a servlet container.
> > The servlet container (here Tomcat) runs inside a java JVM.
> > The java JVM runs inside an OS.
> > The OS runs inside a host.
> >
> > In that hierarchy, a webapp only sees a request, when the servlet
> > container has received this request on one of its ports, and "delegates"
> > the request to the webapp.
> > By that time, the webapp does not even know through which interface the
> > request came in, nor if that interface required HTTP, HTTPS or whatever
> > other communications protocol.
> > And if a TLS connection from a browser failed, the webapp is not even
> > called, so it does not know anything about it.
> > Of course the webapp cannot log a failure, if it is never called when
> that
> > failure happens.
> >
> > To move one level up : if a TLS connection from a browser fails, Tomcat
> > probably never even sees that (because the connection never reaches
> > Tomcat). So Tomcat cannot log this failure either. Tomcat is just telling
> > some underlying layer of software (in the JVM, in the OS, or in some
> > external library), what kind of connections to accept. But it does  not
> > manage these connections, it just "gets" a connection when it succeeds.
> >
> > So if you (your team, your company) is responsible for providing the
> whole
> > service, including the host, the OS, the JVM, the servlet container, and
> > the webapp inside it, then the requirement may make sense. And then you
> > have to look for the component, at the right level, which can provide
> that
> > information. (But it is not the webapp, and it is not Tomcat).
> >
> > At the other extreme, if you are providing only the web application, then
> > the requirement does not make sense /for you/, because it is impossible.
> > It is not that it does not make sense in general, but "as part of the
> > webapp" it does not make sense.
> >
> > And that is what Christopher is also telling you (in a lot less words).
> >
> >
> >
> > On Wed, Mar 8, 2017 at 11:03 PM, Christopher Schultz <
> >> ch...@christopherschultz.net> wrote:
> >>
> >> -BEGIN PGP SIGNED MESSAGE-
> >>> Hash: SHA256
> >>>
> >>> Durga,
> >>>
> >>> On 3/8/17 10:02 AM, Durga Srinivasu Karuturi wrote:
> >>>
>  We are using JSSE only not APR. Looking for handshake failures.
> 
>  Yes, using JSSE SSL debug, we are able to get all handshake
>  (-Djavax.net.debug=ssl:handshake) logs including success cases.
>  These are still quite bit expense logs and meant for debug
>  purposes. As you said it might impact performance that's the
>  reason, trying for any other optimal solution here.
> 
> >>>
> >>> I know of no way to be notified about handshake failures on the server
> >>> side. You may not be able to fulfill this requirement if using Java
> >>> for your crypto.
> >>>
> >>> Honestly, I'm not sure why you care about failed TLS handshakes. Are
> >>> you trying to implement a NIDS in your application? This is
> >>> better-handled by a network component specifically-designed for this
> >>> kind of thing.
> >>>
> >>> - -chris
> >>> -BEGIN PGP SIGNATURE-
> >>> Comment: GPGTools - http://gpgtools.org
> >>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >>>
> >>> iQIcBAEBCAAGBQJYwEBVAAoJEBzwKT+lPKRYHzkP/1O2jPMu6Z9MBdnCF6LD7FQl
> >>> LMWA6jmO2YjmZFPtJykyUXHuL3beBk/+5cPV275ZApp1brJmmqnxR68P4ZuedOwY
> >>> 

Tomcat upgrade from 7 to latest 8

[Jammy Chen]

Hello All,

I am just trying upgrade tomcat 7 to latest GA 8 for my application, I am
seeing quite lots of change in web dav functionality.

The org.apache.naming.resources.ProxyDirContext do not exists do anybody
know where I can find the alternative? in the past we got use resource to
lookup something but now is not this one, can anybody know any doc?


Jammy

Re: How-to disable SSL V3 on Tomcat 6.0.18.0

[Jammy Chen]

Hello Jason, Chris,

Thanks for you answer and replying.

I actually already tired that solution linked in the page
https://access.redhat.com/solutions/1232233. but it does not work at all.

 Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol
   maxThreads=150 SSLEnabled=true scheme=https secure=true
   clientAuth=false sslProtocols = TLSv1,TLSv1.1,TLSv1.2 /


Yes, this is common problem whatever the tomcat version is, SSL V3 is not
safe any more, however, newer tomcat has ready configuration/solution for
disable V3. since I am still in old version so I am looking for solution
for version Tomcat/6.0.18. but no good luck until now.


2015-01-30 22:28 GMT+08:00 Christopher Schultz ch...@christopherschultz.net
:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Jason,

 On 1/30/15 4:32 AM, Jason Y wrote:
  Please refer to https://access.redhat.com/solutions/1232233

 This link is /slightly/ out of date, in that it is missing more-recent
 information (i.e. support for TLSv1.1 and TLSv1.2 in tcnative versions
 after 1.1.21.

  By the way, why would you disable SSL? What is your current
  problem? I may have the same problem with tomcat 7.0.55...


 https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org

 iQIcBAEBCAAGBQJUy5T+AAoJEBzwKT+lPKRYdBEQALUAXjY5wZHglrUU7vVQ00qd
 I1vdAhY5X6VXhfesK+cHYFdzIkedq15O+2J0MNY5G+SivUPXvWw1xd2VIflpsfCp
 VBf6/d3qHVRwmyAdYHWRtP6CRyWfvYY24YO/UO5EuD4Uellrr5DVEeZvfMnyuZJf
 IqnZ4NphqVNtar+EUkZ5FH1TyiVVDGmReZcEtLEA8Y2WJGUzcloALRoUMq8dmPQJ
 4u38hDH/K0CpTsoxgQQJBtppFxxbK6c4klsTQO/eWZohSngL8JF0jPKiYjr3RFV6
 4bT/2DNaoTENUiB8+9qLiGdWhRUofs8qM2/WXo4/Z4eekMSaqFCtRtW5gfelgIhn
 D750yqJZtycz+7X+jpnM2724SE3cPc2DxCXZ4mYGG2bH+LAi2bUOBkJYnhUbNpUB
 mtEkePXFgBjl4luP57w0+hIohH09q5E6a4206uQzN+0+MFgVtWu3498Ys9OSBO1q
 fMaiOk1vvcH3MELuOnseyKA3YyR2AppttQHp+6YJ7YePNx3EuewAoOEBLo2hP5tF
 zH4Uu1cUSRe/HSdsnwglHw/xzE9QOn5bc6s5lne0Y9E+8+CP+9cJcFV7D6dA6fDB
 ul0cuFbIoyHu2VhUmtnDvuxNS6/xgTy3Nioc0G6jdOTaqR7AxhQx/vyaruN+dGK+
 w1vZbFCCmCe2toKLWdPy
 =D+1m
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

How-to disable SSL V3 on Tomcat 6.0.18.0

[Jammy Chen]

Hello team,



Do everybody knows how-to disable SSL v3 in older tomcat version, I have
tried to variety solution including sslProtocols or sslEnabledProtocols but
it both did not work well, the Firefox I am using to test is only select
TLS 1 and result is that I were not able to access the site.



Connector port=8443
protocol=org.apache.coyote.http11.Http11Protocol

  maxThreads=150 SSLEnabled=true scheme=https
secure=true

  clientAuth=false sslProtocols = TLSv1,TLSv1.1,TLSv1.2
 keystoreFile=keystore.jks

 keystorePass=a123

 keyAlias=sslkey  /



Below is the server information:



Server version: Apache Tomcat/6.0.18

Server built:   Jul 22 2008 02:00:36

Server number:  6.0.18.0

OS Name:Windows 2003

OS Version: 5.2

Architecture:   x86

JVM Version:1.6.0-b105

JVM Vendor: Sun Microsystems Inc


Thanks

Re: How-to disable SSL V3 on Tomcat 6.0.18.0

[Jammy Chen]

Hello Chuck,

Thanks for replying, I understood this is old, our product has already
upgraded to latest version, but somehow, some of our users are still in
such old stage, they do not plan uptake now but they want disable SSL V3 as
everybody know this is big security vulnerability.


*so now the important thing is how I can disable SSL V3 on Tomcat 6.0.18.0?
I cannot find the solution*

Jammy

2015-01-29 22:00 GMT+08:00 Caldarale, Charles R chuck.caldar...@unisys.com
:

  From: Jammy Chen [mailto:jamm...@gmail.com]
  Subject: How-to disable SSL V3 on Tomcat 6.0.18.0

  Do everybody knows how-to disable SSL v3 in older tomcat version

  Server version: Apache Tomcat/6.0.18
  Server built:   Jul 22 2008 02:00:36

 Yes - move up to a current level and read the docs.

 Seriously, if you're using a Tomcat of that vintage (this one is more than
 6.5 years old), you have a lot more security issues to worry about than
 SSLv3.  It's irresponsible not to upgrade.

  OS Name:Windows 2003

 A few months from end-of-life.

  JVM Version:1.6.0-b105

 Two years past end-of-life.

 Is there a pattern here?

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail and
 its attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org