Re: AW: SSL handshake failure logs required for auditing purpose
Thanks a lot for all your replies. This auditing is for common criteria certification. The OS we use is Red-hat Linux. As you know common criteria requires these handshake failures need to be redirected to a syslog server. Any attempt via the tcp-dump/wireshark is not acceptable by the certification. So it needs to be only the syslogs. I think from 9.0.65 it should be easy. For the existing versions yes the log needs to be in syslog until it rotates. If it gives cipher details that’s good, but importantly it should give the Ips. Once again thanks a lot for your overwhelming responses. If I will be able to close this today, it is pretty great. Also let me know in 9.0.65 is there any detailed attempt made to log about the ssl handshake including the ciphers etc.,? Regards, Raghav From: Christopher Schultz Date: Friday, 8 July 2022 at 12:05 AM To: users@tomcat.apache.org Subject: Re: AW: SSL handshake failure logs required for auditing purpose Thomas, On 7/7/22 13:36, Thomas Hoffmann (Speed4Trade GmbH) wrote: > > >> -Ursprüngliche Nachricht- >> Von: Thomas Hoffmann (Speed4Trade GmbH) >> >> Gesendet: Donnerstag, 7. Juli 2022 19:23 >> An: Tomcat Users List >> Betreff: AW: SSL handshake failure logs required for auditing purpose >> >> Hello Raghav, >> >>> -Ursprüngliche Nachricht- >>> Von: Ragavendhiran Bhiman (rabhiman) >>> Gesendet: Donnerstag, 7. Juli 2022 18:13 >>> An: Tomcat Users List >>> Betreff: Re: SSL handshake failure logs required for auditing purpose >>> >>> Version of tomcat used 9.0.x. >>> Kindly help on the ssl logging for auditing purpose other than -D >>> javax.net option. >>> >>> From: Ragavendhiran Bhiman (rabhiman) >>> Date: Thursday, 7 July 2022 at 9:41 PM >>> To: users@tomcat.apache.org >>> Subject: SSL handshake failure logs required for auditing purpose Hi >>> All, >>> >>> I require your kind help in logging the SSl connection failure logs >>> including iP in the tomcat, Is there any best way to do It without >>> performance impact other than -Djava.net debugs in jdk, is there any >>> direct way from tomcat? Or any way we can derive any class from JSSE >>> extension classes and add HandShakeListener while using the >>> connectors. All our SSL connections are going through connectors. So >>> kindly need your help how to log those SSL connection auditing logs >> through best method. >>> Thanks a lot in advance. >>> >>> Regards, >>> Raghav >> >> Which OS are you using? >> Can you use Wireshark or TCPDump for your purposes? >> If you are using Chrome or FF as Client, you can set the environment variable >> SSLKEYLOGFILE to write the current key to a file which Wireshark can take to >> decrypt the traffic. >> >> The handshake itself is not encrypted. If the handshake is enough, TCPDump >> or Wireshark are sufficient. >> >> Greetings, >> Thomas >> > > Short Addendum: > 1) Do you want to write the log permanently or just for an audit session? > 2) Which details do you want to log? Agreed cipher? Offered ciphers by the > client? SNI-header? ...? > 3) What is the purpose of the logging? > Insecure ciphers can be mitigated by server configuration. I think he wants to implement a poor-mans NIDS. Raghav, please be aware that any web browser that first attempts to use a SSLv3/TLSv1/TLSv1.3 handshake, fails, and retries with a TLSv1.2/similar handshake will cause massive numbers of false-positives in your logs. I would ask whoever is requesting this logging why they are looking at such failures. Handshake failures are not always indicative of some kind of intrusion attempt. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: SSL handshake failure logs required for auditing purpose
Thomas, On 7/7/22 13:36, Thomas Hoffmann (Speed4Trade GmbH) wrote: -Ursprüngliche Nachricht- Von: Thomas Hoffmann (Speed4Trade GmbH) Gesendet: Donnerstag, 7. Juli 2022 19:23 An: Tomcat Users List Betreff: AW: SSL handshake failure logs required for auditing purpose Hello Raghav, -Ursprüngliche Nachricht- Von: Ragavendhiran Bhiman (rabhiman) Gesendet: Donnerstag, 7. Juli 2022 18:13 An: Tomcat Users List Betreff: Re: SSL handshake failure logs required for auditing purpose Version of tomcat used 9.0.x. Kindly help on the ssl logging for auditing purpose other than -D javax.net option. From: Ragavendhiran Bhiman (rabhiman) Date: Thursday, 7 July 2022 at 9:41 PM To: users@tomcat.apache.org Subject: SSL handshake failure logs required for auditing purpose Hi All, I require your kind help in logging the SSl connection failure logs including iP in the tomcat, Is there any best way to do It without performance impact other than -Djava.net debugs in jdk, is there any direct way from tomcat? Or any way we can derive any class from JSSE extension classes and add HandShakeListener while using the connectors. All our SSL connections are going through connectors. So kindly need your help how to log those SSL connection auditing logs through best method. Thanks a lot in advance. Regards, Raghav Which OS are you using? Can you use Wireshark or TCPDump for your purposes? If you are using Chrome or FF as Client, you can set the environment variable SSLKEYLOGFILE to write the current key to a file which Wireshark can take to decrypt the traffic. The handshake itself is not encrypted. If the handshake is enough, TCPDump or Wireshark are sufficient. Greetings, Thomas Short Addendum: 1) Do you want to write the log permanently or just for an audit session? 2) Which details do you want to log? Agreed cipher? Offered ciphers by the client? SNI-header? ...? 3) What is the purpose of the logging? Insecure ciphers can be mitigated by server configuration. I think he wants to implement a poor-mans NIDS. Raghav, please be aware that any web browser that first attempts to use a SSLv3/TLSv1/TLSv1.3 handshake, fails, and retries with a TLSv1.2/similar handshake will cause massive numbers of false-positives in your logs. I would ask whoever is requesting this logging why they are looking at such failures. Handshake failures are not always indicative of some kind of intrusion attempt. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL handshake failure logs required for auditing purpose
Tre's Bueno! Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: Mark Thomas > Sent: Thursday, July 7, 2022 1:22 PM > To: users@tomcat.apache.org > Subject: Re: SSL handshake failure logs required for auditing purpose > > The next release (9.0.65) will have a dedicated logger for TLS handshake > failures. You will be able to configure it like any other logger - including > directing it to a dedicated file. > > Mark > > > On 07/07/2022 17:11, Ragavendhiran Bhiman (rabhiman) wrote: > > Hi All, > > > > I require your kind help in logging the SSl connection failure logs > > including iP > in the tomcat, Is there any best way to do It without performance impact > other than -Djava.net debugs in jdk, is there any direct way from tomcat? Or > any way we can derive any class from JSSE extension classes and add > HandShakeListener while using the connectors. All our SSL connections are > going through connectors. So kindly need your help how to log those SSL > connection auditing logs through best method. > > Thanks a lot in advance. > > > > Regards, > > Raghav > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL handshake failure logs required for auditing purpose
The next release (9.0.65) will have a dedicated logger for TLS handshake failures. You will be able to configure it like any other logger - including directing it to a dedicated file. Mark On 07/07/2022 17:11, Ragavendhiran Bhiman (rabhiman) wrote: Hi All, I require your kind help in logging the SSl connection failure logs including iP in the tomcat, Is there any best way to do It without performance impact other than -Djava.net debugs in jdk, is there any direct way from tomcat? Or any way we can derive any class from JSSE extension classes and add HandShakeListener while using the connectors. All our SSL connections are going through connectors. So kindly need your help how to log those SSL connection auditing logs through best method. Thanks a lot in advance. Regards, Raghav - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: SSL handshake failure logs required for auditing purpose
> -Ursprüngliche Nachricht- > Von: Thomas Hoffmann (Speed4Trade GmbH) > > Gesendet: Donnerstag, 7. Juli 2022 19:23 > An: Tomcat Users List > Betreff: AW: SSL handshake failure logs required for auditing purpose > > Hello Raghav, > > > -Ursprüngliche Nachricht- > > Von: Ragavendhiran Bhiman (rabhiman) > > Gesendet: Donnerstag, 7. Juli 2022 18:13 > > An: Tomcat Users List > > Betreff: Re: SSL handshake failure logs required for auditing purpose > > > > Version of tomcat used 9.0.x. > > Kindly help on the ssl logging for auditing purpose other than -D > > javax.net option. > > > > From: Ragavendhiran Bhiman (rabhiman) > > Date: Thursday, 7 July 2022 at 9:41 PM > > To: users@tomcat.apache.org > > Subject: SSL handshake failure logs required for auditing purpose Hi > > All, > > > > I require your kind help in logging the SSl connection failure logs > > including iP in the tomcat, Is there any best way to do It without > > performance impact other than -Djava.net debugs in jdk, is there any > > direct way from tomcat? Or any way we can derive any class from JSSE > > extension classes and add HandShakeListener while using the > > connectors. All our SSL connections are going through connectors. So > > kindly need your help how to log those SSL connection auditing logs > through best method. > > Thanks a lot in advance. > > > > Regards, > > Raghav > > Which OS are you using? > Can you use Wireshark or TCPDump for your purposes? > If you are using Chrome or FF as Client, you can set the environment variable > SSLKEYLOGFILE to write the current key to a file which Wireshark can take to > decrypt the traffic. > > The handshake itself is not encrypted. If the handshake is enough, TCPDump > or Wireshark are sufficient. > > Greetings, > Thomas > Short Addendum: 1) Do you want to write the log permanently or just for an audit session? 2) Which details do you want to log? Agreed cipher? Offered ciphers by the client? SNI-header? ...? 3) What is the purpose of the logging? Insecure ciphers can be mitigated by server configuration. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: SSL handshake failure logs required for auditing purpose
Hello Raghav, > -Ursprüngliche Nachricht- > Von: Ragavendhiran Bhiman (rabhiman) > Gesendet: Donnerstag, 7. Juli 2022 18:13 > An: Tomcat Users List > Betreff: Re: SSL handshake failure logs required for auditing purpose > > Version of tomcat used 9.0.x. > Kindly help on the ssl logging for auditing purpose other than -D javax.net > option. > > From: Ragavendhiran Bhiman (rabhiman) > Date: Thursday, 7 July 2022 at 9:41 PM > To: users@tomcat.apache.org > Subject: SSL handshake failure logs required for auditing purpose Hi All, > > I require your kind help in logging the SSl connection failure logs including > iP > in the tomcat, Is there any best way to do It without performance impact > other than -Djava.net debugs in jdk, is there any direct way from tomcat? Or > any way we can derive any class from JSSE extension classes and add > HandShakeListener while using the connectors. All our SSL connections are > going through connectors. So kindly need your help how to log those SSL > connection auditing logs through best method. > Thanks a lot in advance. > > Regards, > Raghav Which OS are you using? Can you use Wireshark or TCPDump for your purposes? If you are using Chrome or FF as Client, you can set the environment variable SSLKEYLOGFILE to write the current key to a file which Wireshark can take to decrypt the traffic. The handshake itself is not encrypted. If the handshake is enough, TCPDump or Wireshark are sufficient. Greetings, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL handshake failure logs required for auditing purpose
Version of tomcat used 9.0.x. Kindly help on the ssl logging for auditing purpose other than -D javax.net option. From: Ragavendhiran Bhiman (rabhiman) Date: Thursday, 7 July 2022 at 9:41 PM To: users@tomcat.apache.org Subject: SSL handshake failure logs required for auditing purpose Hi All, I require your kind help in logging the SSl connection failure logs including iP in the tomcat, Is there any best way to do It without performance impact other than -Djava.net debugs in jdk, is there any direct way from tomcat? Or any way we can derive any class from JSSE extension classes and add HandShakeListener while using the connectors. All our SSL connections are going through connectors. So kindly need your help how to log those SSL connection auditing logs through best method. Thanks a lot in advance. Regards, Raghav
SSL handshake failure logs required for auditing purpose
Hi All, I require your kind help in logging the SSl connection failure logs including iP in the tomcat, Is there any best way to do It without performance impact other than -Djava.net debugs in jdk, is there any direct way from tomcat? Or any way we can derive any class from JSSE extension classes and add HandShakeListener while using the connectors. All our SSL connections are going through connectors. So kindly need your help how to log those SSL connection auditing logs through best method. Thanks a lot in advance. Regards, Raghav
Re: Tomcat freezes with axios
Hi Christopher, I'm agreeing with you about long transaction for a general JEE application design. But that's probably the one case over a million. Tomcat is used as the middle tiers server for a jdbc type 3 driver, with an IDEs as a front-end. In this situation we know transaction can be longer than application ones (if we exclude conversation patterns). This solution helps us a lot to enforce security on "direct" databases accesses (maintenance, data fixing, ...). It also provides a very usefull audit trail. Transactions were really too long because some users forgot to commit (or rollback) their work, on several parallel connections... As I was doing the first runs of a new JS application at the same time, I though it was this new application. Stephane Le 2022-07-06 à 23:37, Christopher Schultz a écrit : Stephane, On 7/6/22 07:12, Stephane Passignat wrote: Thanks for your help. I found that someone else was freezing the API server through the database (very long running uncommitted transactions). That'll definitely do it. This kind of thing isn't going to work in the real-world: tying-up a database with a transaction that lasts even a few seconds is going to absolutely kill your performance. You need to work with that other group to figure out why they need long-running transactions and figure out how to solve the problem in a different way. You should also protect yourself and set timeouts on writes that, if they fail, they fail "fast" and don't appear to freeze. You should be able to detect a write-timeout and reply to the API user saying "sorry, write failed after N ms" or something like that. Otherwise, you run the risk of a single uncommitted transaction stalling your entire business while writes pile-up. Users tired of waiting will re-request the same write over and over again. When the initial transaction finally commits, you'll have a huge storm of writes hitting your database all at the same time. It will be a mess. Anyway I also limited the number of parallel connections on javascript side (axios). This is always an excellent idea. There is no reason for a single client to be making huge numbers of queries to your database simultaneously. -chris Le 2022-06-30 à 18:42, Christopher Schultz a écrit : All, On 6/30/22 02:34, Mark Thomas wrote: Hi, We need more information to help you. Tomcat version? Tomcat connector configuration (from server.xml)? httpd version? httpd MPM and configuration? mod_proxy configuration? Was the httpd restart graceful or not? Wild guess: missing finally { java.sql.Connection.close(); } -chris On 29/06/2022 19:36, Stephane Passignat wrote: Hello, I'm creating a SAP application performing REST call on an API running on Tomcat. Tomcat runs behind an apache reverse-proxy and communication between them use http. The calls are executed with axios using a basic authentication. Everything runs fine for a moment, but for an unknown reason all http request are hanging after some time and hundreds or maybe thousands requests (if these metrics make any sense). In chrome, the requests are in a 'pending' status. Restarting chrome allows to do one or two requests and then issue occurs again Restarting apache doesn't change anything. Restarting Tomcat resolve the situation. Tomcat shutdow is a bit longer. Request in chrome ends when tomcat stops. I'm not very inspired by this issue and actually trying to find inspiration in jmx and log files but nothing pops up. Does someone have an idea ? thanks Stephane - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org