Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 16/02/2023 16:44, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark!

Thanks so much. Please provide the sample code. :-)


https://people.apache.org/~markt/dev/custom-certificate-debug-logs.txt

Enjoy.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Hi Mark!

Thanks so much. Please provide the sample code. :-)

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mark Thomas 
> Sent: Thursday, February 16, 2023 8:09 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 15/02/2023 23:03, Mark Thomas wrote:
> > On 15/02/2023 22:56, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> They also had this question.
> >>
> >> There seems to be no need to print both TEXT and HEX representations,
> >> like below (just HEX string should be fine):
> >> KeyIdentifier [
> >> : CD 35 CB AD 62 91 65 C4   C5 46 C8 C3 0A C7 D3 57
> >> .5..b.e..F.W
> >> 0010: 43 46 E8 FD    CF..
> >> ]
> >
> > That is just the way the toString() is written. Short of rewriting the
> > toString() method (which I am trying to avoid) I don't see a way to
> > address that.
> 
> I ended up with the following:
> 
> SHA-1 and SHA-256 fingerprints included before the main certificate info and
> X509Certificate.toString() used to provide the certificate info.
> 
> I looked at rewriting the toString() but it would require a lot of effort (and
> volume of code).
> 
> Given that different folks may want slightly different output, I opted to make
> it easier for folks to write and use custom endpoints. If you want to
> customise the output it is relatively simple to do. You need:
> - a custom endpoint
>- extends existing endpoint
>- override logCertificate() and/or generateCertificateDebug()
> - a custom protocol
>- extends matching protocol for endpoint
>- no-arg constructor needs to call super constructor with custom
>  endpoint
> 
> and you shouldn't need to recompile to move between Tomcat point
> releases.
> 
> I can provide sample code if anyone wants to try this themselves and isn't
> sure where to start.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 15/02/2023 23:03, Mark Thomas wrote:

On 15/02/2023 22:56, jonmcalexan...@wellsfargo.com.INVALID wrote:

They also had this question.

There seems to be no need to print both TEXT and HEX representations, 
like below (just HEX string should be fine):

KeyIdentifier [
: CD 35 CB AD 62 91 65 C4   C5 46 C8 C3 0A C7 D3 57  .5..b.e..F.W
0010: 43 46 E8 FD    CF..
]


That is just the way the toString() is written. Short of rewriting the 
toString() method (which I am trying to avoid) I don't see a way to 
address that.


I ended up with the following:

SHA-1 and SHA-256 fingerprints included before the main certificate info
and X509Certificate.toString() used to provide the certificate info.

I looked at rewriting the toString() but it would require a lot of 
effort (and volume of code).


Given that different folks may want slightly different output, I opted 
to make it easier for folks to write and use custom endpoints. If you 
want to customise the output it is relatively simple to do. You need:

- a custom endpoint
  - extends existing endpoint
  - override logCertificate() and/or generateCertificateDebug()
- a custom protocol
  - extends matching protocol for endpoint
  - no-arg constructor needs to call super constructor with custom
endpoint

and you shouldn't need to recompile to move between Tomcat point releases.

I can provide sample code if anyone wants to try this themselves and 
isn't sure where to start.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 15/02/2023 22:56, jonmcalexan...@wellsfargo.com.INVALID wrote:

They also had this question.

There seems to be no need to print both TEXT and HEX representations, like 
below (just HEX string should be fine):
KeyIdentifier [
: CD 35 CB AD 62 91 65 C4   C5 46 C8 C3 0A C7 D3 57  .5..b.e..F.W
0010: 43 46 E8 FDCF..
]


That is just the way the toString() is written. Short of rewriting the 
toString() method (which I am trying to avoid) I don't see a way to 
address that.


Mark




Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.



-Original Message-
From: Mark Thomas 
Sent: Wednesday, February 15, 2023 4:48 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 15/02/2023 22:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

I got a big thumbs up from our team here. They did have 2 questions and of

course you can just tell us to go pound sand.


1. Can this be printed in JSON format, for easier parsing?  (or even
make it a config parameter – PLAIN / JSON / XML)


Not without (a lot?) more work. Currently the code just does cert.toString().


2. Is it possible to calculate and print the 2 default types of fingerprints 
that

modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?

I should be able to do something for those. My preference would be to
provide the SHA256 fingerprint.

Mark



As always THANK YOU!!!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you

are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.




-Original Message-
From: Mark Thomas 
Sent: Wednesday, February 15, 2023 2:17 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 10/02/2023 15:42, jonmcalexan...@wellsfargo.com.INVALID wrote:

Once again, Awesome Possum! You guys are the greatest!


How about this? (uses the simple toString() approach)



https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert

-
log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
fWzFlGBMzOf44iZI7_A$

Enabled with:

org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL

in logging.properties

(I tried pasting in-line but the line breaks in email mess up the
formatting)

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Clarification:

was:
KeyIdentifier [
: CD 35 CB AD 62 91 65 C4   C5 46 C8 C3 0A C7 D3 57  .5..b.e..F.W
0010: 43 46 E8 FDCF..
]

should be:
CD35CBAD629165C4C546C8C30AC7D3574346E8FD

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: jonmcalexan...@wellsfargo.com.INVALID
> 
> Sent: Wednesday, February 15, 2023 4:57 PM
> To: users@tomcat.apache.org
> Subject: RE: Basic SSL Certificate Usage logging
> 
> They also had this question.
> 
> There seems to be no need to print both TEXT and HEX representations, like
> below (just HEX string should be fine):
> KeyIdentifier [
> : CD 35 CB AD 62 91 65 C4   C5 46 C8 C3 0A C7 D3 57  .5..b.e..F.W
> 0010: 43 46 E8 FDCF..
> ]
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> 
> 
> > -Original Message-----
> > From: Mark Thomas 
> > Sent: Wednesday, February 15, 2023 4:48 PM
> > To: users@tomcat.apache.org
> > Subject: Re: Basic SSL Certificate Usage logging
> >
> > On 15/02/2023 22:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > > Hi Mark,
> > >
> > > I got a big thumbs up from our team here. They did have 2 questions
> > > and of
> > course you can just tell us to go pound sand.
> > >
> > > 1. Can this be printed in JSON format, for easier parsing?  (or even
> > > make it a config parameter – PLAIN / JSON / XML)
> >
> > Not without (a lot?) more work. Currently the code just does
> cert.toString().
> >
> > > 2. Is it possible to calculate and print the 2 default types of
> > > fingerprints that
> > modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?
> >
> > I should be able to do something for those. My preference would be to
> > provide the SHA256 fingerprint.
> >
> > Mark
> >
> > >
> > > As always THANK YOU!!!
> > >
> > > Dream * Excel * Explore * Inspire
> > > Jon McAlexander
> > > Senior Infrastructure Engineer
> > > Asst. Vice President
> > > He/His
> > >
> > > Middleware Product Engineering
> > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> > >
> > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > MAC: F4469-010
> > > Tel 515-988-2508 | Cell 515-988-2508
> > >
> > > jonmcalexan...@wellsfargo.com
> > > This message may contain confidential and/or privileged information.
> > > If you
> > are not the addressee or authorized to receive this for the addressee,
> > you must not use, copy, disclose, or take any action based on this
> > message or any information herein. If you have received this message
> > in error, please advise the sender immediately by reply e-mail and
> > delete this message. Thank you for your cooperation.
> > >
> > >
> > >> -Original Message-
> > >> From: Mark Thomas 
> > >> Sent: Wednesday, February 15, 2023 2:17 PM
> > >> To: users@tomcat.apache.org
> > >> Subject: Re: Basic SSL Certificate Usage logging
> > >>
> > >> On 10/02/2023 15:42, jonmcalexan...@wellsfargo.com

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

They also had this question.

There seems to be no need to print both TEXT and HEX representations, like 
below (just HEX string should be fine):
KeyIdentifier [
: CD 35 CB AD 62 91 65 C4   C5 46 C8 C3 0A C7 D3 57  .5..b.e..F.W
0010: 43 46 E8 FDCF..
]

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 15, 2023 4:48 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 15/02/2023 22:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > I got a big thumbs up from our team here. They did have 2 questions and of
> course you can just tell us to go pound sand.
> >
> > 1. Can this be printed in JSON format, for easier parsing?  (or even
> > make it a config parameter – PLAIN / JSON / XML)
> 
> Not without (a lot?) more work. Currently the code just does cert.toString().
> 
> > 2. Is it possible to calculate and print the 2 default types of 
> > fingerprints that
> modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?
> 
> I should be able to do something for those. My preference would be to
> provide the SHA256 fingerprint.
> 
> Mark
> 
> >
> > As always THANK YOU!!!
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Wednesday, February 15, 2023 2:17 PM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/02/2023 15:42, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> Once again, Awesome Possum! You guys are the greatest!
> >>
> >> How about this? (uses the simple toString() approach)
> >>
> >>
> https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert
> >> -
> >> log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
> >> q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
> >> fWzFlGBMzOf44iZI7_A$
> >>
> >> Enabled with:
> >>
> >> org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL
> >>
> >> in logging.properties
> >>
> >> (I tried pasting in-line but the line breaks in email mess up the
> >> formatting)
> >>
> >> Mark
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 15/02/2023 22:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

I got a big thumbs up from our team here. They did have 2 questions and of 
course you can just tell us to go pound sand.

1. Can this be printed in JSON format, for easier parsing?  (or even make it a 
config parameter – PLAIN / JSON / XML)


Not without (a lot?) more work. Currently the code just does 
cert.toString().



2. Is it possible to calculate and print the 2 default types of fingerprints 
that modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?


I should be able to do something for those. My preference would be to 
provide the SHA256 fingerprint.


Mark



As always THANK YOU!!!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.



-Original Message-
From: Mark Thomas 
Sent: Wednesday, February 15, 2023 2:17 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 10/02/2023 15:42, jonmcalexan...@wellsfargo.com.INVALID wrote:

Once again, Awesome Possum! You guys are the greatest!


How about this? (uses the simple toString() approach)

https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert-
log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
fWzFlGBMzOf44iZI7_A$

Enabled with:

org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL

in logging.properties

(I tried pasting in-line but the line breaks in email mess up the
formatting)

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Hi Mark,

I got a big thumbs up from our team here. They did have 2 questions and of 
course you can just tell us to go pound sand.

1. Can this be printed in JSON format, for easier parsing?  (or even make it a 
config parameter – PLAIN / JSON / XML)
2. Is it possible to calculate and print the 2 default types of fingerprints 
that modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?

As always THANK YOU!!!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 15, 2023 2:17 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 10/02/2023 15:42, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Once again, Awesome Possum! You guys are the greatest!
> 
> How about this? (uses the simple toString() approach)
> 
> https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert-
> log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
> q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
> fWzFlGBMzOf44iZI7_A$
> 
> Enabled with:
> 
> org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL
> 
> in logging.properties
> 
> (I tried pasting in-line but the line breaks in email mess up the
> formatting)
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Thanks Mark. I'm checking with the requestor on my end.

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 15, 2023 2:17 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 10/02/2023 15:42, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Once again, Awesome Possum! You guys are the greatest!
> 
> How about this? (uses the simple toString() approach)
> 
> https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert-
> log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
> q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
> fWzFlGBMzOf44iZI7_A$
> 
> Enabled with:
> 
> org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL
> 
> in logging.properties
> 
> (I tried pasting in-line but the line breaks in email mess up the
> formatting)
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 10/02/2023 15:42, jonmcalexan...@wellsfargo.com.INVALID wrote:

Once again, Awesome Possum! You guys are the greatest!


How about this? (uses the simple toString() approach)

https://people.apache.org/~markt/dev/cert-log-example.txt

Enabled with:

org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL

in logging.properties

(I tried pasting in-line but the line breaks in email mess up the 
formatting)


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Once again, Awesome Possum! You guys are the greatest!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Friday, February 10, 2023 4:31 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 09/02/2023 19:49, Christopher Schultz wrote:
> > Jon,
> >
> > On 2/9/23 11:39, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> My thinking is that the teams requesting that I look into if this is
> >> possible or not would prefer to be able to get the more detailed
> >> information if possible. How much extra work is required to have a
> >> dedicated logger for it, as well as keeping the current message in
> >> the current logging?
> > It shouldn't be that much work, but it is a lot of output.
> 
> +1
> 
> > Mark, isn't this already a dedicated logger?
> >
> > org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> 
> Unfortunately not. That is the method name.
> 
> > +1 to using the log-level as the arbiter for, well, how much logging
> > +to
> > do. :)
> 
> :)
> 
> I'll try and get this done in time for the next release round.
> 
> Mark
> 
> >
> > -chris
> >
> >>> -Original Message-
> >>> From: Mark Thomas 
> >>> Sent: Thursday, February 9, 2023 3:24 AM
> >>> To: users@tomcat.apache.org
> >>> Subject: Re: Basic SSL Certificate Usage logging
> >>>
> >>> Hi Jon,
> >>>
> >>> The current message looks like this:
> >>>
> >>> 09-Feb-2023 09:09:53.939 INFO [main]
> >>> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector
> >>> [https-
> >>> jsse-nio-8443], TLS virtual host [_default_], certificate type [RSA]
> >>> configured from [conf/localhost-rsa.jks] using alias [tomcat] and
> >>> with trust store [null]
> >>>
> >>> The intention is to make clear, for each configured server
> >>> certificate, which configuration files are being used. The idea
> >>> being that you can then examine the relevant files if there is an
> >>> issue.
> >>>
> >>> There is a balance to strike in terms of providing useful detail and
> >>> providing too much detail in the default logs. Everything below
> >>> feels like too much detail.
> >>>
> >>> One option would be to switch this message to a dedicated logger and
> >>> then provide more/all details if debug logging is enabled. Moving
> >>> this to a dedicated logger would allow debug logging to be enabled
> >>> for that logger without changing the logging for the entire
> >>> endpoint.
> >>>
> >>> Mark
> >>>
> >>>
> >>> On 08/02/2023 18:36, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>> Hi Mark,
> >>>>
> >>>> As a follow-up, some of my compatriots are asking if we can get all
> >>>> or some
> >>> of these details in the log as well? Wanted to ask early if possible.
> >>>>
> >>>> •    Subject
> >>>> o    Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells
> >>> Fargo,C=US
> >>>> o    Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
> o    Ex:
> >>>> CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells
> >>> Fargo,C=US
> >>>> •    SAN (aka Subject Alternative Names) o    Ex:
> >>>> DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
> >>>> o    Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
> >>>> o    Ex:
> >>>
> EMAIL:some.n...@wellsfargo.com;EMAIL:some.name@wellsfargo.com
> >>>> •    Issuer
> >>>> o    Ex: CN=Wells Fargo Enterprise Certification Authority 05-2
> >>> G2,OU=Wells Fargo 

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 09/02/2023 19:49, Christopher Schultz wrote:

Jon,

On 2/9/23 11:39, jonmcalexan...@wellsfargo.com.INVALID wrote:

My thinking is that the teams requesting that I look into if this is
possible or not would prefer to be able to get the more detailed
information if possible. How much extra work is required to have a
dedicated logger for it, as well as keeping the current message in
the current logging?

It shouldn't be that much work, but it is a lot of output.


+1


Mark, isn't this already a dedicated logger?

org.apache.tomcat.util.net.AbstractEndpoint.logCertificate


Unfortunately not. That is the method name.

+1 to using the log-level as the arbiter for, well, how much logging to 
do. :)


:)

I'll try and get this done in time for the next release round.

Mark



-chris


-Original Message-
From: Mark Thomas 
Sent: Thursday, February 9, 2023 3:24 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Hi Jon,

The current message looks like this:

09-Feb-2023 09:09:53.939 INFO [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector 
[https-
jsse-nio-8443], TLS virtual host [_default_], certificate type [RSA] 
configured
from [conf/localhost-rsa.jks] using alias [tomcat] and with trust 
store [null]


The intention is to make clear, for each configured server 
certificate, which
configuration files are being used. The idea being that you can then 
examine

the relevant files if there is an issue.

There is a balance to strike in terms of providing useful detail and 
providing
too much detail in the default logs. Everything below feels like too 
much

detail.

One option would be to switch this message to a dedicated logger and 
then

provide more/all details if debug logging is enabled. Moving this to a
dedicated logger would allow debug logging to be enabled for that logger
without changing the logging for the entire endpoint.

Mark


On 08/02/2023 18:36, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

As a follow-up, some of my compatriots are asking if we can get all 
or some

of these details in the log as well? Wanted to ask early if possible.


•    Subject
o    Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells

Fargo,C=US

o    Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
o    Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells

Fargo,C=US

•    SAN (aka Subject Alternative Names)
o    Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
o    Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
o    Ex:

EMAIL:some.n...@wellsfargo.com;EMAIL:some.name@wellsfargo.com

•    Issuer
o    Ex: CN=Wells Fargo Enterprise Certification Authority 05-2

G2,OU=Wells Fargo Certification Authorities,O=Wells Fargo,C=US

•    ValidFrom (aka NotBefore)
o    Ex: 2022-05-18T05:09:27Z
•    ValidTo (aka NotAfter)
o    Ex: 2024-05-17T05:09:27Z
•    KeyUsage
o    Ex: Digital Signature, Key Encipherment, Data Encipherment
•    KeyUsageExtended
o    Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server 
Authentication

(1.3.6.1.5.5.7.3.1)

•    SerialNumber
o    Ex: 6a0006e41935f80460711c1876e419
•    FingerprintSHA1 (aka Thumbprint)
o    Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
•    FingerprintSHA256
o    Ex:

DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4
E41

•    PublicKeyAlgo
o    Ex: RSA
o    Ex: ECDSA
•    PublicKeySize
o    Ex: 2048
o    Ex: P-256

Thank you,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. 
If you
are not the addressee or authorized to receive this for the 
addressee, you
must not use, copy, disclose, or take any action based on this 
message or any
information herein. If you have received this message in error, 
please advise
the sender immediately by reply e-mail and delete this message. Thank 
you

for your cooperation.




-Original Message-
From: Mark Thomas 
Sent: Wednesday, February 8, 2023 10:37 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

So, is this something that can/will be added in the future? I tested
my

thought of setting the java logging.properties to a specific file in
the command line but it didn't do what I had hoped.

Already added. Will be in the next round of releases.

Mark




Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan

Re: Basic SSL Certificate Usage logging

[Christopher Schultz]

Jon,

On 2/9/23 11:39, jonmcalexan...@wellsfargo.com.INVALID wrote:

My thinking is that the teams requesting that I look into if this is
possible or not would prefer to be able to get the more detailed
information if possible. How much extra work is required to have a
dedicated logger for it, as well as keeping the current message in
the current logging?

It shouldn't be that much work, but it is a lot of output.

Mark, isn't this already a dedicated logger?

org.apache.tomcat.util.net.AbstractEndpoint.logCertificate

+1 to using the log-level as the arbiter for, well, how much logging to 
do. :)


-chris


-Original Message-
From: Mark Thomas 
Sent: Thursday, February 9, 2023 3:24 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Hi Jon,

The current message looks like this:

09-Feb-2023 09:09:53.939 INFO [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-
jsse-nio-8443], TLS virtual host [_default_], certificate type [RSA] configured
from [conf/localhost-rsa.jks] using alias [tomcat] and with trust store [null]

The intention is to make clear, for each configured server certificate, which
configuration files are being used. The idea being that you can then examine
the relevant files if there is an issue.

There is a balance to strike in terms of providing useful detail and providing
too much detail in the default logs. Everything below feels like too much
detail.

One option would be to switch this message to a dedicated logger and then
provide more/all details if debug logging is enabled. Moving this to a
dedicated logger would allow debug logging to be enabled for that logger
without changing the logging for the entire endpoint.

Mark


On 08/02/2023 18:36, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

As a follow-up, some of my compatriots are asking if we can get all or some

of these details in the log as well? Wanted to ask early if possible.


•   Subject
o   Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells

Fargo,C=US

o   Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
o   Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells

Fargo,C=US

•   SAN (aka Subject Alternative Names)
o   Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
o   Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
o   Ex:

EMAIL:some.n...@wellsfargo.com;EMAIL:some.name@wellsfargo.com

•   Issuer
o   Ex: CN=Wells Fargo Enterprise Certification Authority 05-2

G2,OU=Wells Fargo Certification Authorities,O=Wells Fargo,C=US

•   ValidFrom (aka NotBefore)
o   Ex: 2022-05-18T05:09:27Z
•   ValidTo (aka NotAfter)
o   Ex: 2024-05-17T05:09:27Z
•   KeyUsage
o   Ex: Digital Signature, Key Encipherment, Data Encipherment
•   KeyUsageExtended
o   Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication

(1.3.6.1.5.5.7.3.1)

•   SerialNumber
o   Ex: 6a0006e41935f80460711c1876e419
•   FingerprintSHA1 (aka Thumbprint)
o   Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
•   FingerprintSHA256
o   Ex:

DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4
E41

•   PublicKeyAlgo
o   Ex: RSA
o   Ex: ECDSA
•   PublicKeySize
o   Ex: 2048
o   Ex: P-256

Thank you,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you

are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.




-Original Message-
From: Mark Thomas 
Sent: Wednesday, February 8, 2023 10:37 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

So, is this something that can/will be added in the future? I tested
my

thought of setting the java logging.properties to a specific file in
the command line but it didn't do what I had hoped.

Already added. Will be in the next round of releases.

Mark




Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information.
If you

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Hi Mark,

My thinking is that the teams requesting that I look into if this is possible 
or not would prefer to be able to get the more detailed information if 
possible. How much extra work is required to have a dedicated logger for it, as 
well as keeping the current message in the current logging?

Thanks again for everything!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mark Thomas 
> Sent: Thursday, February 9, 2023 3:24 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> Hi Jon,
> 
> The current message looks like this:
> 
> 09-Feb-2023 09:09:53.939 INFO [main]
> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-
> jsse-nio-8443], TLS virtual host [_default_], certificate type [RSA] 
> configured
> from [conf/localhost-rsa.jks] using alias [tomcat] and with trust store [null]
> 
> The intention is to make clear, for each configured server certificate, which
> configuration files are being used. The idea being that you can then examine
> the relevant files if there is an issue.
> 
> There is a balance to strike in terms of providing useful detail and providing
> too much detail in the default logs. Everything below feels like too much
> detail.
> 
> One option would be to switch this message to a dedicated logger and then
> provide more/all details if debug logging is enabled. Moving this to a
> dedicated logger would allow debug logging to be enabled for that logger
> without changing the logging for the entire endpoint.
> 
> Mark
> 
> 
> On 08/02/2023 18:36, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > As a follow-up, some of my compatriots are asking if we can get all or some
> of these details in the log as well? Wanted to ask early if possible.
> >
> > •   Subject
> > o   Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells
> Fargo,C=US
> > o   Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
> > o   Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells
> Fargo,C=US
> > •   SAN (aka Subject Alternative Names)
> > o   Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
> > o   Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
> > o   Ex:
> EMAIL:some.n...@wellsfargo.com;EMAIL:some.name@wellsfargo.com
> > •   Issuer
> > o   Ex: CN=Wells Fargo Enterprise Certification Authority 05-2
> G2,OU=Wells Fargo Certification Authorities,O=Wells Fargo,C=US
> > •   ValidFrom (aka NotBefore)
> > o   Ex: 2022-05-18T05:09:27Z
> > •   ValidTo (aka NotAfter)
> > o   Ex: 2024-05-17T05:09:27Z
> > •   KeyUsage
> > o   Ex: Digital Signature, Key Encipherment, Data Encipherment
> > •   KeyUsageExtended
> > o   Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication
> (1.3.6.1.5.5.7.3.1)
> > •   SerialNumber
> > o   Ex: 6a0006e41935f80460711c1876e419
> > •   FingerprintSHA1 (aka Thumbprint)
> > o   Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
> > •   FingerprintSHA256
> > o   Ex:
> DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4
> E41
> > •   PublicKeyAlgo
> > o   Ex: RSA
> > o   Ex: ECDSA
> > •   PublicKeySize
> > o   Ex: 2048
> > o   Ex: P-256
> >
> > Thank you,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in 

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

Hi Jon,

The current message looks like this:

09-Feb-2023 09:09:53.939 INFO [main] 
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector 
[https-jsse-nio-8443], TLS virtual host [_default_], certificate type 
[RSA] configured from [conf/localhost-rsa.jks] using alias [tomcat] and 
with trust store [null]


The intention is to make clear, for each configured server certificate, 
which configuration files are being used. The idea being that you can 
then examine the relevant files if there is an issue.


There is a balance to strike in terms of providing useful detail and 
providing too much detail in the default logs. Everything below feels 
like too much detail.


One option would be to switch this message to a dedicated logger and 
then provide more/all details if debug logging is enabled. Moving this 
to a dedicated logger would allow debug logging to be enabled for that 
logger without changing the logging for the entire endpoint.


Mark


On 08/02/2023 18:36, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

As a follow-up, some of my compatriots are asking if we can get all or some of 
these details in the log as well? Wanted to ask early if possible.

•   Subject
o   Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells Fargo,C=US
o   Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
o   Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells Fargo,C=US
•   SAN (aka Subject Alternative Names)
o   Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
o   Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
o   Ex: EMAIL:some.n...@wellsfargo.com;EMAIL:some.name@wellsfargo.com
•   Issuer
o   Ex: CN=Wells Fargo Enterprise Certification Authority 05-2 G2,OU=Wells 
Fargo Certification Authorities,O=Wells Fargo,C=US
•   ValidFrom (aka NotBefore)
o   Ex: 2022-05-18T05:09:27Z
•   ValidTo (aka NotAfter)
o   Ex: 2024-05-17T05:09:27Z
•   KeyUsage
o   Ex: Digital Signature, Key Encipherment, Data Encipherment
•   KeyUsageExtended
o   Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication 
(1.3.6.1.5.5.7.3.1)
•   SerialNumber
o   Ex: 6a0006e41935f80460711c1876e419
•   FingerprintSHA1 (aka Thumbprint)
o   Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
•   FingerprintSHA256
o   Ex: DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4E41
•   PublicKeyAlgo
o   Ex: RSA
o   Ex: ECDSA
•   PublicKeySize
o   Ex: 2048
o   Ex: P-256

Thank you,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.



-Original Message-
From: Mark Thomas 
Sent: Wednesday, February 8, 2023 10:37 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

So, is this something that can/will be added in the future? I tested my

thought of setting the java logging.properties to a specific file in the
command line but it didn't do what I had hoped.

Already added. Will be in the next round of releases.

Mark




Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you

are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.




-Original Message-
From: Mark Thomas 
Sent: Tuesday, January 10, 2023 8:23 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 10/01/2023 13:52, Christopher Schultz wrote:

Jon,

On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Yes Chris, It's just for during startup. For a particular instance
I would like to capture the Certificate Info and Truststore being
used and pipe that into a separate log/txt

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Hi Mark,

As a follow-up, some of my compatriots are asking if we can get all or some of 
these details in the log as well? Wanted to ask early if possible.

•   Subject 
o   Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells Fargo,C=US
o   Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
o   Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells Fargo,C=US
•   SAN (aka Subject Alternative Names)
o   Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
o   Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
o   Ex: EMAIL:some.n...@wellsfargo.com;EMAIL:some.name@wellsfargo.com
•   Issuer
o   Ex: CN=Wells Fargo Enterprise Certification Authority 05-2 G2,OU=Wells 
Fargo Certification Authorities,O=Wells Fargo,C=US
•   ValidFrom (aka NotBefore)
o   Ex: 2022-05-18T05:09:27Z
•   ValidTo (aka NotAfter)
o   Ex: 2024-05-17T05:09:27Z
•   KeyUsage
o   Ex: Digital Signature, Key Encipherment, Data Encipherment
•   KeyUsageExtended
o   Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication 
(1.3.6.1.5.5.7.3.1)
•   SerialNumber
o   Ex: 6a0006e41935f80460711c1876e419
•   FingerprintSHA1 (aka Thumbprint)
o   Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
•   FingerprintSHA256
o   Ex: DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4E41
 
•   PublicKeyAlgo
o   Ex: RSA
o   Ex: ECDSA
•   PublicKeySize
o   Ex: 2048
o   Ex: P-256

Thank you,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 8, 2023 10:37 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > So, is this something that can/will be added in the future? I tested my
> thought of setting the java logging.properties to a specific file in the
> command line but it didn't do what I had hoped.
> 
> Already added. Will be in the next round of releases.
> 
> Mark
> 
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Tuesday, January 10, 2023 8:23 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/01/2023 13:52, Christopher Schultz wrote:
> >>> Jon,
> >>>
> >>> On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>> Yes Chris, It's just for during startup. For a particular instance
> >>>> I would like to capture the Certificate Info and Truststore being
> >>>> used and pipe that into a separate log/txt file.
> >>> So it sounds like just dumping-out the configured certificates, etc.
> >>> to something like the debug log from Connector or SSLHostConfig or
> >>> similar would work?
> >>>
> >>> Or would you want that information available to the application so
> >>> you can log it in some very specific way? Note that you can already
> >>> get the SSLHostConfig info via JMX if you are willing to do that.
> >&g

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

And thank you!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 8, 2023 10:37 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > So, is this something that can/will be added in the future? I tested my
> thought of setting the java logging.properties to a specific file in the
> command line but it didn't do what I had hoped.
> 
> Already added. Will be in the next round of releases.
> 
> Mark
> 
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Tuesday, January 10, 2023 8:23 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/01/2023 13:52, Christopher Schultz wrote:
> >>> Jon,
> >>>
> >>> On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>> Yes Chris, It's just for during startup. For a particular instance
> >>>> I would like to capture the Certificate Info and Truststore being
> >>>> used and pipe that into a separate log/txt file.
> >>> So it sounds like just dumping-out the configured certificates, etc.
> >>> to something like the debug log from Connector or SSLHostConfig or
> >>> similar would work?
> >>>
> >>> Or would you want that information available to the application so
> >>> you can log it in some very specific way? Note that you can already
> >>> get the SSLHostConfig info via JMX if you are willing to do that.
> >>
> >> How about something like this:
> >>
> >> 10-Jan-2023 14:21:07.951 INFO [main]
> >> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> >> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type
> >> [RSA] configured from [conf/localhost-rsa.jks] using alias [null] and
> >> with trust store [null]
> >>
> >> ?
> >>
> >> Mark
> >>
> >>>
> >>> -chris
> >>>
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Dream * Excel * Explore * Inspire
> >>>> Jon McAlexander
> >>>> Senior Infrastructure Engineer
> >>>> Asst. Vice President
> >>>> He/His
> >>>>
> >>>> Middleware Product Engineering
> >>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>
> >>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>> MAC: F4469-010
> >>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>
> >>>> jonmcalexan...@wellsfargo.com
> >>>> This message may contain confidential and/or privileged information.
> >>>> If you are not the addressee or authorized to receive this for the
> >>>> addressee, you must not use, copy, disclose, or take any action
> 

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Awesome Possum Boss!!!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 8, 2023 10:37 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > So, is this something that can/will be added in the future? I tested my
> thought of setting the java logging.properties to a specific file in the
> command line but it didn't do what I had hoped.
> 
> Already added. Will be in the next round of releases.
> 
> Mark
> 
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Tuesday, January 10, 2023 8:23 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/01/2023 13:52, Christopher Schultz wrote:
> >>> Jon,
> >>>
> >>> On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>> Yes Chris, It's just for during startup. For a particular instance
> >>>> I would like to capture the Certificate Info and Truststore being
> >>>> used and pipe that into a separate log/txt file.
> >>> So it sounds like just dumping-out the configured certificates, etc.
> >>> to something like the debug log from Connector or SSLHostConfig or
> >>> similar would work?
> >>>
> >>> Or would you want that information available to the application so
> >>> you can log it in some very specific way? Note that you can already
> >>> get the SSLHostConfig info via JMX if you are willing to do that.
> >>
> >> How about something like this:
> >>
> >> 10-Jan-2023 14:21:07.951 INFO [main]
> >> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> >> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type
> >> [RSA] configured from [conf/localhost-rsa.jks] using alias [null] and
> >> with trust store [null]
> >>
> >> ?
> >>
> >> Mark
> >>
> >>>
> >>> -chris
> >>>
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Dream * Excel * Explore * Inspire
> >>>> Jon McAlexander
> >>>> Senior Infrastructure Engineer
> >>>> Asst. Vice President
> >>>> He/His
> >>>>
> >>>> Middleware Product Engineering
> >>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>
> >>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>> MAC: F4469-010
> >>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>
> >>>> jonmcalexan...@wellsfargo.com
> >>>> This message may contain confidential and/or privileged information.
> >>>> If you are not the addressee or authorized to receive this for the
> >>>> addressee, you must not use, copy, disclose, or take any ac

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

So, is this something that can/will be added in the future? I tested my thought 
of setting the java logging.properties to a specific file in the command line 
but it didn't do what I had hoped.


Already added. Will be in the next round of releases.

Mark




Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.



-Original Message-
From: Mark Thomas 
Sent: Tuesday, January 10, 2023 8:23 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 10/01/2023 13:52, Christopher Schultz wrote:

Jon,

On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Yes Chris, It's just for during startup. For a particular instance I
would like to capture the Certificate Info and Truststore being used
and pipe that into a separate log/txt file.

So it sounds like just dumping-out the configured certificates, etc.
to something like the debug log from Connector or SSLHostConfig or
similar would work?

Or would you want that information available to the application so you
can log it in some very specific way? Note that you can already get
the SSLHostConfig info via JMX if you are willing to do that.


How about something like this:

10-Jan-2023 14:21:07.951 INFO [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
[https-jsse-nio-8443], TLS virtual host [_default_], Certificate type [RSA]
configured from [conf/localhost-rsa.jks] using alias [null] and with trust store
[null]

?

Mark



-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.


-Original Message-
From: Christopher Schultz 
Sent: Monday, January 9, 2023 8:10 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Jon,

On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient.
I'm thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know
how to specify where to log the information.

java.security.debug is really a blunt instrument. It's unfortunate
that it's one of the only ways to get information out of the TLS
stack. It would have been great if Java had started using its own
logging system once it was introduced, but no.

That debugging tool always dumps to stdout (or stderr?) and you have
very little control over where it goes.

You would never want to use it for ongoing logging. It truly is for
debugging-
only.

The good news is that application code should be able to get the
information you are looking for.

Oh, wait...


[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?

What do you mean "during startup"? I originally read that as "for
incoming connections" thinking that you wanted to log which cert was
used for a particular request. But it sounds like maybe you are
asking for something to just be logged one-time during startup?

-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information.
If you

are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or t

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Hi Mark,

So, is this something that can/will be added in the future? I tested my thought 
of setting the java logging.properties to a specific file in the command line 
but it didn't do what I had hoped.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Tuesday, January 10, 2023 8:23 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 10/01/2023 13:52, Christopher Schultz wrote:
> > Jon,
> >
> > On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> Yes Chris, It's just for during startup. For a particular instance I
> >> would like to capture the Certificate Info and Truststore being used
> >> and pipe that into a separate log/txt file.
> > So it sounds like just dumping-out the configured certificates, etc.
> > to something like the debug log from Connector or SSLHostConfig or
> > similar would work?
> >
> > Or would you want that information available to the application so you
> > can log it in some very specific way? Note that you can already get
> > the SSLHostConfig info via JMX if you are willing to do that.
> 
> How about something like this:
> 
> 10-Jan-2023 14:21:07.951 INFO [main]
> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type [RSA]
> configured from [conf/localhost-rsa.jks] using alias [null] and with trust 
> store
> [null]
> 
> ?
> 
> Mark
> 
> >
> > -chris
> >
> >>
> >> Thanks,
> >>
> >> Dream * Excel * Explore * Inspire
> >> Jon McAlexander
> >> Senior Infrastructure Engineer
> >> Asst. Vice President
> >> He/His
> >>
> >> Middleware Product Engineering
> >> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>
> >> 8080 Cobblestone Rd | Urbandale, IA 50322
> >> MAC: F4469-010
> >> Tel 515-988-2508 | Cell 515-988-2508
> >>
> >> jonmcalexan...@wellsfargo.com
> >> This message may contain confidential and/or privileged information.
> >> If you are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>
> >>> -Original Message-
> >>> From: Christopher Schultz 
> >>> Sent: Monday, January 9, 2023 8:10 AM
> >>> To: users@tomcat.apache.org
> >>> Subject: Re: Basic SSL Certificate Usage logging
> >>>
> >>> Jon,
> >>>
> >>> On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>> Thanks for the info.
> >>>>
> >>>> In a nutshell I think the certpath,provider would be sufficient.
> >>>> I'm thinking that I can add this to the java options as
> >>>> -Djava.security.debug=ssl:certpath,provider however I don't know
> >>>> how to specify where to log the information.
> >>> java.security.debug is really a blunt instrument. It's unfortunate
> >>> that it's one of the only ways to get information out of the TLS
> >>> stack. It would have been great if Java had started using its own
> >>> logging system once it was introduced, but no.
> >>>
> >>> That debugging tool always dumps to stdout (or stderr?) and you have
> >>> very little control over where it goes.
> >>>
> >>> You would never want to use it for ongoing logging. It truly is for
> >>> debugging-
> >>> only.
> >>>
> >>> The good news is that application code should be able to get the
> >>> information you ar

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

:-) Christopher,

This is where my not being a developer really shines out. :-)

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, January 10, 2023 4:27 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> Jon,
> 
> On 1/10/23 13:37, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Ultimately it would be nice to be able to log it in Jason format for
> > ingestion by Elastic or something similar.
> If you want JSON-formatted logs, then configure JSON-formatted logs.
> JSON embedded in JSON is a little silly:
> 
> {
>"timestamp":"2023-01-10T22:24:00Z",
>"level":"INFO",
>"logger":"org.apache.tomcat.util.net.AbstractEndpoint.logCertificate"
> 
> "message":"{\"tlsVirtualHost\":\"_default_\",\"tlsCertificateType\":\"RSA\",
> ... }"
> }
> 
> Isn't this what logstash is for?
> 
> -chris
> 
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Tuesday, January 10, 2023 7:52 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> Jon,
> >>
> >> On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> Yes Chris, It's just for during startup. For a particular instance I
> >>> would like to capture the Certificate Info and Truststore being used
> >>> and pipe that into a separate log/txt file.
> >> So it sounds like just dumping-out the configured certificates, etc.
> >> to something like the debug log from Connector or SSLHostConfig or
> >> similar would work?
> >>
> >> Or would you want that information available to the application so
> >> you can log it in some very specific way? Note that you can already
> >> get the SSLHostConfig info via JMX if you are willing to do that.
> >>
> >> -chris
> >>
> >>>
> >>> Thanks,
> >>>
> >>> Dream * Excel * Explore * Inspire
> >>> Jon McAlexander
> >>> Senior Infrastructure Engineer
> >>> Asst. Vice President
> >>> He/His
> >>>
> >>> Middleware Product Engineering
> >>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>
> >>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>> MAC: F4469-010
> >>> Tel 515-988-2508 | Cell 515-988-2508
> >>>
> >>> jonmcalexan...@wellsfargo.com
> >>> This message may contain confidential and/or privileged information.
> >>> If you
> >> are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>>
> >>>> -Original Message-
> >>>> From: Christopher Schultz 
> >>>> Sent: Monday, January 9, 2023 8:10 AM
> >>>> To: users@tomcat.apache.org
> >>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>
> >>>> Jon,
> >>>>
> >>>> On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>>> Thanks for the info.
> >>>>>
> >>>>> In a nutshell I think the certpath,provider would be sufficient.
> >>>>> I'm thinking that I can add this to the java options as
> >>>>> -Djava.security.debug=ssl:certpath,provider however I don't know
> >>>>> how to specify where to log the information.
> >>>> java.security.debug is really a blunt instrument. It'

Re: Basic SSL Certificate Usage logging

[Christopher Schultz]

Jon,

On 1/10/23 13:37, jonmcalexan...@wellsfargo.com.INVALID wrote:

Ultimately it would be nice to be able to log it in Jason format for
ingestion by Elastic or something similar.
If you want JSON-formatted logs, then configure JSON-formatted logs. 
JSON embedded in JSON is a little silly:


{
  "timestamp":"2023-01-10T22:24:00Z",
  "level":"INFO",
  "logger":"org.apache.tomcat.util.net.AbstractEndpoint.logCertificate"

"message":"{\"tlsVirtualHost\":\"_default_\",\"tlsCertificateType\":\"RSA\", 
... }"

}

Isn't this what logstash is for?

-chris


-Original Message-----
From: Christopher Schultz 
Sent: Tuesday, January 10, 2023 7:52 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Jon,

On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Yes Chris, It's just for during startup. For a particular instance I
would like to capture the Certificate Info and Truststore being used
and pipe that into a separate log/txt file.

So it sounds like just dumping-out the configured certificates, etc. to
something like the debug log from Connector or SSLHostConfig or similar
would work?

Or would you want that information available to the application so you can
log it in some very specific way? Note that you can already get the
SSLHostConfig info via JMX if you are willing to do that.

-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you

are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.



-Original Message-----
From: Christopher Schultz 
Sent: Monday, January 9, 2023 8:10 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Jon,

On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient. I'm
thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know how
to specify where to log the information.

java.security.debug is really a blunt instrument. It's unfortunate
that it's one of the only ways to get information out of the TLS
stack. It would have been great if Java had started using its own
logging system once it was introduced, but no.

That debugging tool always dumps to stdout (or stderr?) and you have
very little control over where it goes.

You would never want to use it for ongoing logging. It truly is for
debugging- only.

The good news is that application code should be able to get the
information you are looking for.

Oh, wait...


[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?

What do you mean "during startup"? I originally read that as "for
incoming connections" thinking that you wanted to log which cert was
used for a particular request. But it sounds like maybe you are
asking for something to just be logged one-time during startup?

-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information.
If you

are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.



-----Original Message-
From: Christopher Schultz 
Sent: Friday, January 6, 2023 2:41 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Mark,

On 1/6/23 15:00, Mark Thomas wrote:

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI
makes things a little more complicated but we should be able to do

something.

What is the minimum info you'd like to see?


How about adding a request attribute with some kind of identifier (fpr?
serial-number?) in it and 

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Ultimately it would be nice to be able to log it in Jason format for ingestion 
by Elastic or something similar.

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, January 10, 2023 7:52 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> Jon,
> 
> On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Yes Chris, It's just for during startup. For a particular instance I
> > would like to capture the Certificate Info and Truststore being used
> > and pipe that into a separate log/txt file.
> So it sounds like just dumping-out the configured certificates, etc. to
> something like the debug log from Connector or SSLHostConfig or similar
> would work?
> 
> Or would you want that information available to the application so you can
> log it in some very specific way? Note that you can already get the
> SSLHostConfig info via JMX if you are willing to do that.
> 
> -chris
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Monday, January 9, 2023 8:10 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> Jon,
> >>
> >> On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> Thanks for the info.
> >>>
> >>> In a nutshell I think the certpath,provider would be sufficient. I'm
> >>> thinking that I can add this to the java options as
> >>> -Djava.security.debug=ssl:certpath,provider however I don't know how
> >>> to specify where to log the information.
> >> java.security.debug is really a blunt instrument. It's unfortunate
> >> that it's one of the only ways to get information out of the TLS
> >> stack. It would have been great if Java had started using its own
> >> logging system once it was introduced, but no.
> >>
> >> That debugging tool always dumps to stdout (or stderr?) and you have
> >> very little control over where it goes.
> >>
> >> You would never want to use it for ongoing logging. It truly is for
> >> debugging- only.
> >>
> >> The good news is that application code should be able to get the
> >> information you are looking for.
> >>
> >> Oh, wait...
> >>
> >>> [...] I'm checking to see if there is any out-of-the-box option to
> >>> capture in a log which SSL certificate and trust keystore is being
> >>> used during startup?
> >> What do you mean "during startup"? I originally read that as "for
> >> incoming connections" thinking that you wanted to log which cert was
> >> used for a particular request. But it sounds like maybe you are
> >> asking for something to just be logged one-time during startup?
> >>
> >> -chris
> >>
> >>>
> >>> Thanks,
> >>>
> >>> Dream * Excel * Explore * Inspire
> >>> Jon McAlexander
> >>> Senior Infrastructu

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Can we include valid to dates?

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Tuesday, January 10, 2023 8:23 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 10/01/2023 13:52, Christopher Schultz wrote:
> > Jon,
> >
> > On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> Yes Chris, It's just for during startup. For a particular instance I
> >> would like to capture the Certificate Info and Truststore being used
> >> and pipe that into a separate log/txt file.
> > So it sounds like just dumping-out the configured certificates, etc.
> > to something like the debug log from Connector or SSLHostConfig or
> > similar would work?
> >
> > Or would you want that information available to the application so you
> > can log it in some very specific way? Note that you can already get
> > the SSLHostConfig info via JMX if you are willing to do that.
> 
> How about something like this:
> 
> 10-Jan-2023 14:21:07.951 INFO [main]
> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type [RSA]
> configured from [conf/localhost-rsa.jks] using alias [null] and with trust 
> store
> [null]
> 
> ?
> 
> Mark
> 
> >
> > -chris
> >
> >>
> >> Thanks,
> >>
> >> Dream * Excel * Explore * Inspire
> >> Jon McAlexander
> >> Senior Infrastructure Engineer
> >> Asst. Vice President
> >> He/His
> >>
> >> Middleware Product Engineering
> >> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>
> >> 8080 Cobblestone Rd | Urbandale, IA 50322
> >> MAC: F4469-010
> >> Tel 515-988-2508 | Cell 515-988-2508
> >>
> >> jonmcalexan...@wellsfargo.com
> >> This message may contain confidential and/or privileged information.
> >> If you are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>
> >>> -Original Message-
> >>> From: Christopher Schultz 
> >>> Sent: Monday, January 9, 2023 8:10 AM
> >>> To: users@tomcat.apache.org
> >>> Subject: Re: Basic SSL Certificate Usage logging
> >>>
> >>> Jon,
> >>>
> >>> On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>> Thanks for the info.
> >>>>
> >>>> In a nutshell I think the certpath,provider would be sufficient.
> >>>> I'm thinking that I can add this to the java options as
> >>>> -Djava.security.debug=ssl:certpath,provider however I don't know
> >>>> how to specify where to log the information.
> >>> java.security.debug is really a blunt instrument. It's unfortunate
> >>> that it's one of the only ways to get information out of the TLS
> >>> stack. It would have been great if Java had started using its own
> >>> logging system once it was introduced, but no.
> >>>
> >>> That debugging tool always dumps to stdout (or stderr?) and you have
> >>> very little control over where it goes.
> >>>
> >>> You would never want to use it for ongoing logging. It truly is for
> >>> debugging-
> >>> only.
> >>>
> >>> The good news is that application code should be able to get the
> >>> information you are looking for.
> >>>
> >>> Oh, wait...
> >>>
> >>>> [...] I'm checking to see if there is any out-of-the-box option to
> >>>>

Re: Basic SSL Certificate Usage logging

[Christopher Schultz]

Mark,

On 1/10/23 09:22, Mark Thomas wrote:

On 10/01/2023 13:52, Christopher Schultz wrote:

Jon,

On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Yes Chris, It's just for during startup. For a particular instance I
would like to capture the Certificate Info and Truststore being used
and pipe that into a separate log/txt file.
So it sounds like just dumping-out the configured certificates, etc. 
to something like the debug log from Connector or SSLHostConfig or 
similar would work?


Or would you want that information available to the application so you 
can log it in some very specific way? Note that you can already get 
the SSLHostConfig info via JMX if you are willing to do that.


How about something like this:

10-Jan-2023 14:21:07.951 INFO [main] 
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
[https-jsse-nio-8443], TLS virtual host [_default_], Certificate type 
[RSA] configured from [conf/localhost-rsa.jks] using alias [null] and 
with trust store [null]


?


How about also including the cert fingerprint?

I think that's a very helpful item to include.

-chris


-Original Message-
From: Christopher Schultz 
Sent: Monday, January 9, 2023 8:10 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Jon,

On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient. I'm
thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know how
to specify where to log the information.
java.security.debug is really a blunt instrument. It's unfortunate 
that it's one
of the only ways to get information out of the TLS stack. It would 
have been
great if Java had started using its own logging system once it was 
introduced,

but no.

That debugging tool always dumps to stdout (or stderr?) and you have 
very

little control over where it goes.

You would never want to use it for ongoing logging. It truly is for 
debugging-

only.

The good news is that application code should be able to get the 
information

you are looking for.

Oh, wait...


[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?
What do you mean "during startup"? I originally read that as "for 
incoming

connections" thinking that you wanted to log which cert was used for a
particular request. But it sounds like maybe you are asking for 
something to

just be logged one-time during startup?

-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged 
information. If you
are not the addressee or authorized to receive this for the 
addressee, you
must not use, copy, disclose, or take any action based on this 
message or any
information herein. If you have received this message in error, 
please advise
the sender immediately by reply e-mail and delete this message. 
Thank you

for your cooperation.



-Original Message-
From: Christopher Schultz 
Sent: Friday, January 6, 2023 2:41 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Mark,

On 1/6/23 15:00, Mark Thomas wrote:

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI
makes things a little more complicated but we should be able to do

something.

What is the minimum info you'd like to see?


How about adding a request attribute with some kind of identifier 
(fpr?
serial-number?) in it and indicates at least which server-cert was 
chosen.

Then it can trivially be added to e.g. access_log or even to
application code which wants to do custom logging.

-chris


On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:

Good afternoon and Happy New Year,

I know about the SSL debug logging, however, I'm checking to see if
there is any out-of-the-box option to capture in a log which SSL
certificate and trust keystore is being used during startup?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508





jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
This message may contain confidential and/or privileged 
information.

If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action
based on this message

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 10/01/2023 13:52, Christopher Schultz wrote:

Jon,

On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Yes Chris, It's just for during startup. For a particular instance I
would like to capture the Certificate Info and Truststore being used
and pipe that into a separate log/txt file.
So it sounds like just dumping-out the configured certificates, etc. to 
something like the debug log from Connector or SSLHostConfig or similar 
would work?


Or would you want that information available to the application so you 
can log it in some very specific way? Note that you can already get the 
SSLHostConfig info via JMX if you are willing to do that.


How about something like this:

10-Jan-2023 14:21:07.951 INFO [main] 
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
[https-jsse-nio-8443], TLS virtual host [_default_], Certificate type 
[RSA] configured from [conf/localhost-rsa.jks] using alias [null] and 
with trust store [null]


?

Mark



-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. 
If you are not the addressee or authorized to receive this for the 
addressee, you must not use, copy, disclose, or take any action based 
on this message or any information herein. If you have received this 
message in error, please advise the sender immediately by reply e-mail 
and delete this message. Thank you for your cooperation.



-Original Message-
From: Christopher Schultz 
Sent: Monday, January 9, 2023 8:10 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Jon,

On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient. I'm
thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know how
to specify where to log the information.
java.security.debug is really a blunt instrument. It's unfortunate 
that it's one
of the only ways to get information out of the TLS stack. It would 
have been
great if Java had started using its own logging system once it was 
introduced,

but no.

That debugging tool always dumps to stdout (or stderr?) and you have 
very

little control over where it goes.

You would never want to use it for ongoing logging. It truly is for 
debugging-

only.

The good news is that application code should be able to get the 
information

you are looking for.

Oh, wait...


[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?
What do you mean "during startup"? I originally read that as "for 
incoming

connections" thinking that you wanted to log which cert was used for a
particular request. But it sounds like maybe you are asking for 
something to

just be logged one-time during startup?

-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. 
If you
are not the addressee or authorized to receive this for the 
addressee, you
must not use, copy, disclose, or take any action based on this 
message or any
information herein. If you have received this message in error, 
please advise
the sender immediately by reply e-mail and delete this message. Thank 
you

for your cooperation.



-Original Message-
From: Christopher Schultz 
Sent: Friday, January 6, 2023 2:41 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Mark,

On 1/6/23 15:00, Mark Thomas wrote:

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI
makes things a little more complicated but we should be able to do

something.

What is the minimum info you'd like to see?


How about adding a request attribute with some kind of identifier 
(fpr?
serial-number?) in it and indicates at least which server-cert was 
chosen.

Then it can trivially be added to e.g. access_log or even to
application code which wants to do custom logging.

-chris


On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:

Good afternoon and Happy New Year,

I know about the SSL debug logging, however, I'm checking to see if
there is any out-of-the-box option to capture in a log which SSL
certificate and trust keystore is being used during star

Re: Basic SSL Certificate Usage logging

[Christopher Schultz]

Jon,

On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Yes Chris, It's just for during startup. For a particular instance I
would like to capture the Certificate Info and Truststore being used
and pipe that into a separate log/txt file.
So it sounds like just dumping-out the configured certificates, etc. to 
something like the debug log from Connector or SSLHostConfig or similar 
would work?


Or would you want that information available to the application so you 
can log it in some very specific way? Note that you can already get the 
SSLHostConfig info via JMX if you are willing to do that.


-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-Original Message-
From: Christopher Schultz 
Sent: Monday, January 9, 2023 8:10 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Jon,

On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient. I'm
thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know how
to specify where to log the information.

java.security.debug is really a blunt instrument. It's unfortunate that it's one
of the only ways to get information out of the TLS stack. It would have been
great if Java had started using its own logging system once it was introduced,
but no.

That debugging tool always dumps to stdout (or stderr?) and you have very
little control over where it goes.

You would never want to use it for ongoing logging. It truly is for debugging-
only.

The good news is that application code should be able to get the information
you are looking for.

Oh, wait...


[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?

What do you mean "during startup"? I originally read that as "for incoming
connections" thinking that you wanted to log which cert was used for a
particular request. But it sounds like maybe you are asking for something to
just be logged one-time during startup?

-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you

are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.



-Original Message-
From: Christopher Schultz 
Sent: Friday, January 6, 2023 2:41 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Mark,

On 1/6/23 15:00, Mark Thomas wrote:

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI
makes things a little more complicated but we should be able to do

something.

What is the minimum info you'd like to see?


How about adding a request attribute with some kind of identifier (fpr?
serial-number?) in it and indicates at least which server-cert was chosen.
Then it can trivially be added to e.g. access_log or even to
application code which wants to do custom logging.

-chris


On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:

Good afternoon and Happy New Year,

I know about the SSL debug logging, however, I'm checking to see if
there is any out-of-the-box option to capture in a log which SSL
certificate and trust keystore is being used during startup?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508





jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Yes Chris, It's just for during startup. For a particular instance I would like 
to capture the Certificate Info and Truststore being used and pipe that into a 
separate log/txt file.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Monday, January 9, 2023 8:10 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> Jon,
> 
> On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Thanks for the info.
> >
> > In a nutshell I think the certpath,provider would be sufficient. I'm
> > thinking that I can add this to the java options as
> > -Djava.security.debug=ssl:certpath,provider however I don't know how
> > to specify where to log the information.
> java.security.debug is really a blunt instrument. It's unfortunate that it's 
> one
> of the only ways to get information out of the TLS stack. It would have been
> great if Java had started using its own logging system once it was introduced,
> but no.
> 
> That debugging tool always dumps to stdout (or stderr?) and you have very
> little control over where it goes.
> 
> You would never want to use it for ongoing logging. It truly is for debugging-
> only.
> 
> The good news is that application code should be able to get the information
> you are looking for.
> 
> Oh, wait...
> 
> > [...] I'm checking to see if there is any out-of-the-box option to
> > capture in a log which SSL certificate and trust keystore is being
> > used during startup?
> What do you mean "during startup"? I originally read that as "for incoming
> connections" thinking that you wanted to log which cert was used for a
> particular request. But it sounds like maybe you are asking for something to
> just be logged one-time during startup?
> 
> -chris
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Friday, January 6, 2023 2:41 PM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> Mark,
> >>
> >> On 1/6/23 15:00, Mark Thomas wrote:
> >>> Hi Jon,
> >>>
> >>> In a word, no. Sorry.
> >>>
> >>> Some sort of info log message probably makes sense for this. SNI
> >>> makes things a little more complicated but we should be able to do
> something.
> >>> What is the minimum info you'd like to see?
> >>
> >> How about adding a request attribute with some kind of identifier (fpr?
> >> serial-number?) in it and indicates at least which server-cert was chosen.
> >> Then it can trivially be added to e.g. access_log or even to
> >> application code which wants to do custom logging.
> >>
> >> -chris
> >>
> >>> On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>> Good afternoon and Happy New Year,
> >>>>
> >>>> I know about the SSL debug logging, however, I'm checking to see if
> >>>> there is any o

Re: Basic SSL Certificate Usage logging

[Christopher Schultz]

Jon,

On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient. I'm
thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know how
to specify where to log the information.
java.security.debug is really a blunt instrument. It's unfortunate that 
it's one of the only ways to get information out of the TLS stack. It 
would have been great if Java had started using its own logging system 
once it was introduced, but no.


That debugging tool always dumps to stdout (or stderr?) and you have 
very little control over where it goes.


You would never want to use it for ongoing logging. It truly is for 
debugging-only.


The good news is that application code should be able to get the 
information you are looking for.


Oh, wait...


[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?
What do you mean "during startup"? I originally read that as "for 
incoming connections" thinking that you wanted to log which cert was 
used for a particular request. But it sounds like maybe you are asking 
for something to just be logged one-time during startup?


-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-Original Message-
From: Christopher Schultz 
Sent: Friday, January 6, 2023 2:41 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Mark,

On 1/6/23 15:00, Mark Thomas wrote:

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI makes
things a little more complicated but we should be able to do something.
What is the minimum info you'd like to see?


How about adding a request attribute with some kind of identifier (fpr?
serial-number?) in it and indicates at least which server-cert was chosen.
Then it can trivially be added to e.g. access_log or even to application code
which wants to do custom logging.

-chris


On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:

Good afternoon and Happy New Year,

I know about the SSL debug logging, however, I'm checking to see if
there is any out-of-the-box option to capture in a log which SSL
certificate and trust keystore is being used during startup?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508



jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>

This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Hi Mark,

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient. I'm thinking 
that I can add this to the java options as 
-Djava.security.debug=ssl:certpath,provider however I don't know how to specify 
where to log the information.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Friday, January 6, 2023 2:41 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> Mark,
> 
> On 1/6/23 15:00, Mark Thomas wrote:
> > Hi Jon,
> >
> > In a word, no. Sorry.
> >
> > Some sort of info log message probably makes sense for this. SNI makes
> > things a little more complicated but we should be able to do something.
> > What is the minimum info you'd like to see?
> 
> How about adding a request attribute with some kind of identifier (fpr?
> serial-number?) in it and indicates at least which server-cert was chosen.
> Then it can trivially be added to e.g. access_log or even to application code
> which wants to do custom logging.
> 
> -chris
> 
> > On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> Good afternoon and Happy New Year,
> >>
> >> I know about the SSL debug logging, however, I'm checking to see if
> >> there is any out-of-the-box option to capture in a log which SSL
> >> certificate and trust keystore is being used during startup?
> >>
> >> Thanks,
> >>
> >> Dream * Excel * Explore * Inspire
> >> Jon McAlexander
> >> Senior Infrastructure Engineer
> >> Asst. Vice President
> >> He/His
> >>
> >> Middleware Product Engineering
> >> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>
> >> 8080 Cobblestone Rd | Urbandale, IA 50322
> >> MAC: F4469-010
> >> Tel 515-988-2508 | Cell 515-988-2508
> >>
> >>
> jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
> >> This message may contain confidential and/or privileged information.
> >> If you are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>
> >>
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic SSL Certificate Usage logging

[Christopher Schultz]

Mark,

On 1/6/23 15:00, Mark Thomas wrote:

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI makes 
things a little more complicated but we should be able to do something. 
What is the minimum info you'd like to see?


How about adding a request attribute with some kind of identifier (fpr? 
serial-number?) in it and indicates at least which server-cert was 
chosen. Then it can trivially be added to e.g. access_log or even to 
application code which wants to do custom logging.


-chris


On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:

Good afternoon and Happy New Year,

I know about the SSL debug logging, however, I'm checking to see if 
there is any out-of-the-box option to capture in a log which SSL 
certificate and trust keystore is being used during startup?


Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. 
If you are not the addressee or authorized to receive this for the 
addressee, you must not use, copy, disclose, or take any action based 
on this message or any information herein. If you have received this 
message in error, please advise the sender immediately by reply e-mail 
and delete this message. Thank you for your cooperation.





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI makes 
things a little more complicated but we should be able to do something. 
What is the minimum info you'd like to see?


Mark


On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:

Good afternoon and Happy New Year,

I know about the SSL debug logging, however, I'm checking to see if there is 
any out-of-the-box option to capture in a log which SSL certificate and trust 
keystore is being used during startup?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org