AW: JSessionId secure attribute not set if RemoteIpFilter with X-Forwarded-Proto https is used

2023-02-08 Thread Reto Weiss 
Hi Mark

Reported as https://bz.apache.org/bugzilla/show_bug.cgi?id=66471

Regards

Reto

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Basic SSL Certificate Usage logging

2023-02-08 Thread jonmcalexander 
Hi Mark,

As a follow-up, some of my compatriots are asking if we can get all or some of 
these details in the log as well? Wanted to ask early if possible.

•   Subject 
o   Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells Fargo,C=US
o   Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
o   Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells Fargo,C=US
•   SAN (aka Subject Alternative Names)
o   Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
o   Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
o   Ex: EMAIL:some.n...@wellsfargo.com;EMAIL:some.name@wellsfargo.com
•   Issuer
o   Ex: CN=Wells Fargo Enterprise Certification Authority 05-2 G2,OU=Wells 
Fargo Certification Authorities,O=Wells Fargo,C=US
•   ValidFrom (aka NotBefore)
o   Ex: 2022-05-18T05:09:27Z
•   ValidTo (aka NotAfter)
o   Ex: 2024-05-17T05:09:27Z
•   KeyUsage
o   Ex: Digital Signature, Key Encipherment, Data Encipherment
•   KeyUsageExtended
o   Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication 
(1.3.6.1.5.5.7.3.1)
•   SerialNumber
o   Ex: 6a0006e41935f80460711c1876e419
•   FingerprintSHA1 (aka Thumbprint)
o   Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
•   FingerprintSHA256
o   Ex: DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4E41
 
•   PublicKeyAlgo
o   Ex: RSA
o   Ex: ECDSA
•   PublicKeySize
o   Ex: 2048
o   Ex: P-256

Thank you,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 8, 2023 10:37 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > So, is this something that can/will be added in the future? I tested my
> thought of setting the java logging.properties to a specific file in the
> command line but it didn't do what I had hoped.
> 
> Already added. Will be in the next round of releases.
> 
> Mark
> 
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Tuesday, January 10, 2023 8:23 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/01/2023 13:52, Christopher Schultz wrote:
> >>> Jon,
> >>>
> >>> On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
>  Yes Chris, It's just for during startup. For a particular instance
>  I would like to capture the Certificate Info and Truststore being
>  used and pipe that into a separate log/txt file.
> >>> So it sounds like just dumping-out the configured certificates, etc.
> >>> to something like the debug log from Connector or SSLHostConfig or
> >>> similar would work?
> >>>
> >>> Or would you want that information available to the application so
> >>> you can log it in some very specific way? Note that you can already
> >>> get the SSLHostConfig info via JMX if you are willing to do that.
> >>
> >> How about something like this:
> >>
> >> 10-Jan-2023 14:21:07.951 INFO [main]
> >> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> >> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type
> >> [RSA] configured from [conf/localhost-rsa.jks] using alias [null] and
> >> with trust store [null]
> >>
> >> ?
> >>
> >> Mark
> >>
> >>>
> >>> -chris
> >>>
> 
>  Thanks,
> 
>  Dream * Excel *

RE: Basic SSL Certificate Usage logging

2023-02-08 Thread jonmcalexander 
And thank you!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 8, 2023 10:37 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > So, is this something that can/will be added in the future? I tested my
> thought of setting the java logging.properties to a specific file in the
> command line but it didn't do what I had hoped.
> 
> Already added. Will be in the next round of releases.
> 
> Mark
> 
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Tuesday, January 10, 2023 8:23 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/01/2023 13:52, Christopher Schultz wrote:
> >>> Jon,
> >>>
> >>> On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
>  Yes Chris, It's just for during startup. For a particular instance
>  I would like to capture the Certificate Info and Truststore being
>  used and pipe that into a separate log/txt file.
> >>> So it sounds like just dumping-out the configured certificates, etc.
> >>> to something like the debug log from Connector or SSLHostConfig or
> >>> similar would work?
> >>>
> >>> Or would you want that information available to the application so
> >>> you can log it in some very specific way? Note that you can already
> >>> get the SSLHostConfig info via JMX if you are willing to do that.
> >>
> >> How about something like this:
> >>
> >> 10-Jan-2023 14:21:07.951 INFO [main]
> >> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> >> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type
> >> [RSA] configured from [conf/localhost-rsa.jks] using alias [null] and
> >> with trust store [null]
> >>
> >> ?
> >>
> >> Mark
> >>
> >>>
> >>> -chris
> >>>
> 
>  Thanks,
> 
>  Dream * Excel * Explore * Inspire
>  Jon McAlexander
>  Senior Infrastructure Engineer
>  Asst. Vice President
>  He/His
> 
>  Middleware Product Engineering
>  Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
>  8080 Cobblestone Rd | Urbandale, IA 50322
>  MAC: F4469-010
>  Tel 515-988-2508 | Cell 515-988-2508
> 
>  jonmcalexan...@wellsfargo.com
>  This message may contain confidential and/or privileged information.
>  If you are not the addressee or authorized to receive this for the
>  addressee, you must not use, copy, disclose, or take any action
>  based on this message or any information herein. If you have
>  received this message in error, please advise the sender
>  immediately by reply e-mail and delete this message. Thank you for
> your cooperation.
> 
> > -Original Message-
> > From: Christopher Schultz 
> > Sent: Monday, January 9, 2023 8:10 AM
> > To: users@tomcat.apache.org
> > Subject: Re: Basic SSL Certificate Usage logging
> >
> > Jon,
> >
> > On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> Thanks for the info.
> >>
> >> In a nutshell I think the certpath,provider would be sufficient.
> >> I'm thinking that I can add this to the java options as
> >> -Djava.security.debug=ssl:certpath,provider however I don't know
> >> how to specify where to log the information.
> > java.security.debug is really

RE: Basic SSL Certificate Usage logging

2023-02-08 Thread jonmcalexander 
Awesome Possum Boss!!!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 8, 2023 10:37 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > So, is this something that can/will be added in the future? I tested my
> thought of setting the java logging.properties to a specific file in the
> command line but it didn't do what I had hoped.
> 
> Already added. Will be in the next round of releases.
> 
> Mark
> 
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Tuesday, January 10, 2023 8:23 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/01/2023 13:52, Christopher Schultz wrote:
> >>> Jon,
> >>>
> >>> On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
>  Yes Chris, It's just for during startup. For a particular instance
>  I would like to capture the Certificate Info and Truststore being
>  used and pipe that into a separate log/txt file.
> >>> So it sounds like just dumping-out the configured certificates, etc.
> >>> to something like the debug log from Connector or SSLHostConfig or
> >>> similar would work?
> >>>
> >>> Or would you want that information available to the application so
> >>> you can log it in some very specific way? Note that you can already
> >>> get the SSLHostConfig info via JMX if you are willing to do that.
> >>
> >> How about something like this:
> >>
> >> 10-Jan-2023 14:21:07.951 INFO [main]
> >> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> >> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type
> >> [RSA] configured from [conf/localhost-rsa.jks] using alias [null] and
> >> with trust store [null]
> >>
> >> ?
> >>
> >> Mark
> >>
> >>>
> >>> -chris
> >>>
> 
>  Thanks,
> 
>  Dream * Excel * Explore * Inspire
>  Jon McAlexander
>  Senior Infrastructure Engineer
>  Asst. Vice President
>  He/His
> 
>  Middleware Product Engineering
>  Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
>  8080 Cobblestone Rd | Urbandale, IA 50322
>  MAC: F4469-010
>  Tel 515-988-2508 | Cell 515-988-2508
> 
>  jonmcalexan...@wellsfargo.com
>  This message may contain confidential and/or privileged information.
>  If you are not the addressee or authorized to receive this for the
>  addressee, you must not use, copy, disclose, or take any action
>  based on this message or any information herein. If you have
>  received this message in error, please advise the sender
>  immediately by reply e-mail and delete this message. Thank you for
> your cooperation.
> 
> > -Original Message-
> > From: Christopher Schultz 
> > Sent: Monday, January 9, 2023 8:10 AM
> > To: users@tomcat.apache.org
> > Subject: Re: Basic SSL Certificate Usage logging
> >
> > Jon,
> >
> > On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> Thanks for the info.
> >>
> >> In a nutshell I think the certpath,provider would be sufficient.
> >> I'm thinking that I can add this to the java options as
> >> -Djava.security.debug=ssl:certpath,provider however I don't know
> >> how to specify where to log the information.
> > java.security.debug

Re: Basic SSL Certificate Usage logging

2023-02-08 Thread Mark Thomas 

On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

So, is this something that can/will be added in the future? I tested my thought 
of setting the java logging.properties to a specific file in the command line 
but it didn't do what I had hoped.


Already added. Will be in the next round of releases.

Mark




Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.



-Original Message-
From: Mark Thomas 
Sent: Tuesday, January 10, 2023 8:23 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 10/01/2023 13:52, Christopher Schultz wrote:

Jon,

On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Yes Chris, It's just for during startup. For a particular instance I
would like to capture the Certificate Info and Truststore being used
and pipe that into a separate log/txt file.

So it sounds like just dumping-out the configured certificates, etc.
to something like the debug log from Connector or SSLHostConfig or
similar would work?

Or would you want that information available to the application so you
can log it in some very specific way? Note that you can already get
the SSLHostConfig info via JMX if you are willing to do that.


How about something like this:

10-Jan-2023 14:21:07.951 INFO [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
[https-jsse-nio-8443], TLS virtual host [_default_], Certificate type [RSA]
configured from [conf/localhost-rsa.jks] using alias [null] and with trust store
[null]

?

Mark



-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.


-Original Message-
From: Christopher Schultz 
Sent: Monday, January 9, 2023 8:10 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Jon,

On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient.
I'm thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know
how to specify where to log the information.

java.security.debug is really a blunt instrument. It's unfortunate
that it's one of the only ways to get information out of the TLS
stack. It would have been great if Java had started using its own
logging system once it was introduced, but no.

That debugging tool always dumps to stdout (or stderr?) and you have
very little control over where it goes.

You would never want to use it for ongoing logging. It truly is for
debugging-
only.

The good news is that application code should be able to get the
information you are looking for.

Oh, wait...


[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?

What do you mean "during startup"? I originally read that as "for
incoming connections" thinking that you wanted to log which cert was
used for a particular request. But it sounds like maybe you are
asking for something to just be logged one-time during startup?

-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information.
If you

are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action
based on this

RE: Basic SSL Certificate Usage logging

2023-02-08 Thread jonmcalexander 
Hi Mark,

So, is this something that can/will be added in the future? I tested my thought 
of setting the java logging.properties to a specific file in the command line 
but it didn't do what I had hoped.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Tuesday, January 10, 2023 8:23 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 10/01/2023 13:52, Christopher Schultz wrote:
> > Jon,
> >
> > On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> Yes Chris, It's just for during startup. For a particular instance I
> >> would like to capture the Certificate Info and Truststore being used
> >> and pipe that into a separate log/txt file.
> > So it sounds like just dumping-out the configured certificates, etc.
> > to something like the debug log from Connector or SSLHostConfig or
> > similar would work?
> >
> > Or would you want that information available to the application so you
> > can log it in some very specific way? Note that you can already get
> > the SSLHostConfig info via JMX if you are willing to do that.
> 
> How about something like this:
> 
> 10-Jan-2023 14:21:07.951 INFO [main]
> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type [RSA]
> configured from [conf/localhost-rsa.jks] using alias [null] and with trust 
> store
> [null]
> 
> ?
> 
> Mark
> 
> >
> > -chris
> >
> >>
> >> Thanks,
> >>
> >> Dream * Excel * Explore * Inspire
> >> Jon McAlexander
> >> Senior Infrastructure Engineer
> >> Asst. Vice President
> >> He/His
> >>
> >> Middleware Product Engineering
> >> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>
> >> 8080 Cobblestone Rd | Urbandale, IA 50322
> >> MAC: F4469-010
> >> Tel 515-988-2508 | Cell 515-988-2508
> >>
> >> jonmcalexan...@wellsfargo.com
> >> This message may contain confidential and/or privileged information.
> >> If you are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>
> >>> -Original Message-
> >>> From: Christopher Schultz 
> >>> Sent: Monday, January 9, 2023 8:10 AM
> >>> To: users@tomcat.apache.org
> >>> Subject: Re: Basic SSL Certificate Usage logging
> >>>
> >>> Jon,
> >>>
> >>> On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
>  Thanks for the info.
> 
>  In a nutshell I think the certpath,provider would be sufficient.
>  I'm thinking that I can add this to the java options as
>  -Djava.security.debug=ssl:certpath,provider however I don't know
>  how to specify where to log the information.
> >>> java.security.debug is really a blunt instrument. It's unfortunate
> >>> that it's one of the only ways to get information out of the TLS
> >>> stack. It would have been great if Java had started using its own
> >>> logging system once it was introduced, but no.
> >>>
> >>> That debugging tool always dumps to stdout (or stderr?) and you have
> >>> very little control over where it goes.
> >>>
> >>> You would never want to use it for ongoing logging. It truly is for
> >>> debugging-
> >>> only.
> >>>
> >>> The good news is that application code should be able to get the
> >>> information you are looking for.
> >>>
> >>> Oh, wait...
> >>>
>  [...] I'm checking to see if there is any out-of-the-box option to
>  capture in a log which SSL certificate and trust keystore is being
>  used during startup?
> >>> What do you mean "during startup"? I originally read that as "for
> >>> incoming connections" thinking that you wanted to log which cert was
> >>> used for a particular request. But it sounds like maybe you are
> >>> asking for something to just be logged one-time during startup?
> >>>
> >>> -chris
> >>>
> 
>  Thanks,
> 
>  Dream * Excel * Explore * Inspire
>  Jon McAlexander
>  Senior Infrastructure Engineer
>  Asst. Vice President
>  He/His
> 
>  Middleware Product Engineering
>

Re: JSessionId secure attribute not set if RemoteIpFilter with X-Forwarded-Proto https is used

2023-02-08 Thread Mark Thomas 

On 08/02/2023 12:26, Reto Weiss wrote:

Hi There

I use Tomcat 9.0.68 and the 
org.apache.catalina.filters.RemoteIpFilter**Filter behind a NGINX 
reverse proxy. On the NGINX I set the http header X-Forwarded-Proto to 
https.


If I now make a request with a Browser to the reverse proxy the 
JSESSIONID cookie I get back is missing the secure attribute.


I have debugged the RemoteIpFilter the isSecure flag of the wrapper 
request it creates is correctly set to true. Unfortunately, the method 
getSession() or getSession(Boolean) is forwarded to the wrapped original 
request were the isSecure Flag is still not set. Therefore, the 
JSESSIONID cookie is missing the secure flag. See 
org.apache.catalina.connector.Request method doGetSession and 
org.apache.catalina.core.ApplicationSessionCookieConfig method 
createSessionCookie.


This seems to be a bug.

As workaround org.apache.catalina.valves.RemoteIpValve can be used, 
which seems to handle this correct. Also, the secure flag can be 
enforced by setting it in the web.xml.


However, I would like to use RemoteIpFilter because it has some 
advantages over the RemoteIpValve or statically setting it in the web.xml.


Should I file an issue for this?


Yes please. Thanks for reporting this.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

JSessionId secure attribute not set if RemoteIpFilter with X-Forwarded-Proto https is used

2023-02-08 Thread Reto Weiss 
Hi There

I use Tomcat 9.0.68 and the org.apache.catalina.filters.RemoteIpFilter Filter 
behind a NGINX reverse proxy. On the NGINX I set the http header 
X-Forwarded-Proto to https.
If I now make a request with a Browser to the reverse proxy the JSESSIONID 
cookie I get back is missing the secure attribute.
I have debugged the RemoteIpFilter the isSecure flag of the wrapper request it 
creates is correctly set to true. Unfortunately, the method getSession() or 
getSession(Boolean) is forwarded to the wrapped original request were the 
isSecure Flag is still not set. Therefore, the JSESSIONID cookie is missing the 
secure flag. See org.apache.catalina.connector.Request method doGetSession and 
org.apache.catalina.core.ApplicationSessionCookieConfig method 
createSessionCookie.

This seems to be a bug.

As workaround org.apache.catalina.valves.RemoteIpValve can be used, which seems 
to handle this correct. Also, the secure flag can be enforced by setting it in 
the web.xml.

However, I would like to use RemoteIpFilter because it has some advantages over 
the RemoteIpValve or statically setting it in the web.xml.

Should I file an issue for this?

Regards

Reto Weiss
El. Ing. HTL
Product Owner / Core Developer
Axon Ivy AG


+41 41 249 25 70
reto.we...@axonivy.com
www.axonivy.com
Baarerstrasse 12 ∙ CH-6300 Zug


[Ein Bild, das Text enthalt.  Automatisch generierte Beschreibung]
LinkedIn ∙ 
Facebook ∙ 
Xing ∙ 
Twitter ∙ 
YouTube