Re: AW: SSL handshake failure logs required for auditing purpose

Thu, 07 Jul 2022 11:34:31 -0700 

Thomas,

On 7/7/22 13:36, Thomas Hoffmann (Speed4Trade GmbH) wrote:




-----Ursprüngliche Nachricht-----
Von: Thomas Hoffmann (Speed4Trade GmbH)
<thomas.hoffm...@speed4trade.com.INVALID>
Gesendet: Donnerstag, 7. Juli 2022 19:23
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: AW: SSL handshake failure logs required for auditing purpose

Hello Raghav,


-----Ursprüngliche Nachricht-----
Von: Ragavendhiran Bhiman (rabhiman) <rabhi...@cisco.com.INVALID>
Gesendet: Donnerstag, 7. Juli 2022 18:13
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: Re: SSL handshake failure logs required for auditing purpose

Version of tomcat used 9.0.x.
Kindly help on the ssl logging for auditing purpose other than -D
javax.net option.

From: Ragavendhiran Bhiman (rabhiman) <rabhi...@cisco.com.INVALID>
Date: Thursday, 7 July 2022 at 9:41 PM
To: users@tomcat.apache.org <users@tomcat.apache.org>
Subject: SSL handshake failure logs required for auditing purpose Hi
All,

I require your kind help in logging the SSl connection failure logs
including iP in the tomcat, Is there any best way to do It without
performance impact other than -Djava.net debugs in jdk, is there any
direct way from tomcat? Or any way we can derive any class from JSSE
extension classes and add HandShakeListener while using the
connectors. All our SSL connections are going through connectors. So
kindly need your help how to log those SSL connection auditing logs

through best method.

Thanks a lot in advance.

Regards,
Raghav


Which OS are you using?
Can you use Wireshark or TCPDump for your purposes?
If you are using Chrome or FF as Client, you can set the environment variable
SSLKEYLOGFILE to write the current key to a file which Wireshark can take to
decrypt the traffic.

The handshake itself is not encrypted. If the handshake is enough, TCPDump
or Wireshark are sufficient.

Greetings,
Thomas



Short Addendum:
1) Do you want to write the log permanently or just for an audit session?
2) Which details do you want to log? Agreed cipher? Offered ciphers by the 
client? SNI-header? ...?
3) What is the purpose of the logging?
     Insecure ciphers can be mitigated by server configuration.


I think he wants to implement a poor-mans NIDS.


Raghav, please be aware that any web browser that first attempts to use 
a SSLv3/TLSv1/TLSv1.3 handshake, fails, and retries with a 
TLSv1.2/similar handshake will cause massive numbers of false-positives 
in your logs.



I would ask whoever is requesting this logging why they are looking at 
such failures. Handshake failures are not always indicative of some kind 
of intrusion attempt.


-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to