2017-04-07 22:28 GMT+03:00 Daniel Morrison <d...@hi-tech-solutions.com>: > Problem... > Tomcat 8.5 -Djava.net.debug=ssl not logging
1. Googling finds that it is "javax.net.debug", s/java/javax/ http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html 2. I wonder whether they are going to rename s/ssl/tls/ one day. 3. There is diagnostic page in the Manager webapp In the main page of Manage webapp scroll down -> "Diagnostics" section -> button "Connector ciphers" 4. Test tools by Christopher Schultz - see archives of this mailing list for discussions https://wiki.apache.org/tomcat/tools/SSLTest.java https://wiki.apache.org/tomcat/tools/SSLUtils.java > Porting a REST interface from Glassfish 4 to Tomcat 8.5, works fine. > Glassfish -Djava.net.debug=ssl logs Cipher Suites to server.log. > Tomcat 8.5 the java debug setting doesn't produce any SSL output in the > logs. > > Why needed... > Older Glassfish server SSL supports some weak ciphers. > When clients cutover to Tomcat server, many failed to support strict > ciphers. > We need to log failed client ciphers to support clients transition. > > Comment... > Running Tomcat on production servers with correct SSL certs, no issues. > Docs say -Djava.net.debug=all/ssl(etc) flag should work. > ps -ef (below) see debug setting passed to java and looks correct. > I think I'm missing something in the logging.properties to get the debug > output captured and passed to log - but I can't figure out what is missing? > Is there a specific handler for the java debug output? > > Versions... > Tomcat 8.5.11 (recently updated from 8.0.23) > uname -r... 3.10.0-514.10.2.el7.x86_64 (Centos 7) > getenforce -> Permissive > java -version... java version "1.8.0_121" (Oracle flavor) > > Original Connector... > <Connector executor="tomcatThreadPool" > address="M.Y.I.P" port="443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > SSLEnabled="true" scheme="https" secure="true" > keystoreFile="./conf/keystore.jks" keystorePass="MYPASS" > keyAlias="MYALIAS" > clientAuth="false" > compression="on" compressionMinSize="2048" > compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript" > useServerCipherSuitesOrder="true" (etc) 5. Personally, I do not recommend enabling compression for dynamic data on HTTPS connectors https://en.wikipedia.org/wiki/BREACH One possible solution is to precompress static files and let DefaultServlet serve them. See "precompressed" option at http://tomcat.apache.org/tomcat-8.5-doc/default-servlet.html Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
