Re: AW: SSL handshake failure logs required for auditing purpose

Fri, 08 Jul 2022 04:08:12 -0700 

On 08/07/2022 11:36, Ragavendhiran Bhiman (rabhiman) wrote:



That’s great, and thank ful for your reply.

Kindly look my below mail for my doubts,

And need one more query can we have the same jar updated to 9.0.x lower 
versions?



No. The Apache Tomcat project does not produce patches for older 
versions. You are required to update to 9.0.65 or later.



If that particular jar is updated what is the jar?

If jar is not possible what is the way we can get the solution to 9.0.x lower 
versions.



This is open source. You are free to try patching the code yourself. 
Personally, I'd judge that higher overall risk than updating.



Does via syslog this solution is possible?


Yes, with a custom handler. e.g.:
http://rusv.github.io/agafua-syslog/

(I've never used it, just found it via StackOverflow)



Thanks & Regards,

Raghav

From: Ragavendhiran Bhiman (rabhiman) <rabhi...@cisco.com>
Date: Friday, 8 July 2022 at 7:33 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: AW: SSL handshake failure logs required for auditing purpose
Thanks a lot for all your replies.

This auditing is for common criteria certification. The OS we use is  Red-hat 
Linux.
As you know common criteria requires these handshake failures need to be 
redirected to a syslog server.
Any attempt via the tcp-dump/wireshark is not acceptable by the certification.
So it needs to be only the syslogs.
I think from 9.0.65 it should be easy.
For the existing versions yes the log needs to be in syslog until it rotates.
If it gives cipher details that’s good, but importantly it should give the Ips.

Once again thanks a lot for your overwhelming responses. If I will be able to 
close this today, it is pretty great.

Also let me know in 9.0.65 is there any detailed attempt made to log about the 
ssl handshake including the ciphers etc.,?



You'll get the remote IP, remote port and whatever information is in the 
exception.


https://github.com/apache/tomcat/blob/9.0.x/java/org/apache/tomcat/util/net/NioEndpoint.java#L1776

Mark



Regards,

Raghav

From: Christopher Schultz <ch...@christopherschultz.net>
Date: Friday, 8 July 2022 at 12:05 AM
To: users@tomcat.apache.org <users@tomcat.apache.org>
Subject: Re: AW: SSL handshake failure logs required for auditing purpose
Thomas,

On 7/7/22 13:36, Thomas Hoffmann (Speed4Trade GmbH) wrote:




-----Ursprüngliche Nachricht-----
Von: Thomas Hoffmann (Speed4Trade GmbH)
<thomas.hoffm...@speed4trade.com.INVALID>
Gesendet: Donnerstag, 7. Juli 2022 19:23
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: AW: SSL handshake failure logs required for auditing purpose

Hello Raghav,


-----Ursprüngliche Nachricht-----
Von: Ragavendhiran Bhiman (rabhiman) <rabhi...@cisco.com.INVALID>
Gesendet: Donnerstag, 7. Juli 2022 18:13
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: Re: SSL handshake failure logs required for auditing purpose

Version of tomcat used 9.0.x.
Kindly help on the ssl logging for auditing purpose other than -D
javax.net option.

From: Ragavendhiran Bhiman (rabhiman) <rabhi...@cisco.com.INVALID>
Date: Thursday, 7 July 2022 at 9:41 PM
To: users@tomcat.apache.org <users@tomcat.apache.org>
Subject: SSL handshake failure logs required for auditing purpose Hi
All,

I require your kind help in logging the SSl connection failure logs
including iP in the tomcat, Is there any best way to do It without
performance impact other than -Djava.net debugs in jdk, is there any
direct way from tomcat? Or any way we can derive any class from JSSE
extension classes and add HandShakeListener while using the
connectors. All our SSL connections are going through connectors. So
kindly need your help how to log those SSL connection auditing logs

through best method.

Thanks a lot in advance.

Regards,
Raghav


Which OS are you using?
Can you use Wireshark or TCPDump for your purposes?
If you are using Chrome or FF as Client, you can set the environment variable
SSLKEYLOGFILE to write the current key to a file which Wireshark can take to
decrypt the traffic.

The handshake itself is not encrypted. If the handshake is enough, TCPDump
or Wireshark are sufficient.

Greetings,
Thomas



Short Addendum:
1) Do you want to write the log permanently or just for an audit session?
2) Which details do you want to log? Agreed cipher? Offered ciphers by the 
client? SNI-header? ...?
3) What is the purpose of the logging?
      Insecure ciphers can be mitigated by server configuration.


I think he wants to implement a poor-mans NIDS.

Raghav, please be aware that any web browser that first attempts to use
a SSLv3/TLSv1/TLSv1.3 handshake, fails, and retries with a
TLSv1.2/similar handshake will cause massive numbers of false-positives
in your logs.

I would ask whoever is requesting this logging why they are looking at
such failures. Handshake failures are not always indicative of some kind
of intrusion attempt.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to