Hi Mark, Thanks for your great help.
Raghav From: Mark Thomas <ma...@apache.org> Date: Friday, 8 July 2022 at 4:44 PM To: users@tomcat.apache.org <users@tomcat.apache.org> Subject: Re: AW: SSL handshake failure logs required for auditing purpose On 08/07/2022 11:36, Ragavendhiran Bhiman (rabhiman) wrote: > > > That’s great, and thank ful for your reply. > > Kindly look my below mail for my doubts, > > And need one more query can we have the same jar updated to 9.0.x lower > versions? No. The Apache Tomcat project does not produce patches for older versions. You are required to update to 9.0.65 or later. > If that particular jar is updated what is the jar? > > If jar is not possible what is the way we can get the solution to 9.0.x lower > versions. This is open source. You are free to try patching the code yourself. Personally, I'd judge that higher overall risk than updating. > Does via syslog this solution is possible? Yes, with a custom handler. e.g.: http://rusv.github.io/agafua-syslog/ (I've never used it, just found it via StackOverflow) > Thanks & Regards, > > Raghav > > From: Ragavendhiran Bhiman (rabhiman) <rabhi...@cisco.com> > Date: Friday, 8 July 2022 at 7:33 AM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: AW: SSL handshake failure logs required for auditing purpose > Thanks a lot for all your replies. > > This auditing is for common criteria certification. The OS we use is Red-hat > Linux. > As you know common criteria requires these handshake failures need to be > redirected to a syslog server. > Any attempt via the tcp-dump/wireshark is not acceptable by the certification. > So it needs to be only the syslogs. > I think from 9.0.65 it should be easy. > For the existing versions yes the log needs to be in syslog until it rotates. > If it gives cipher details that’s good, but importantly it should give the > Ips. > > Once again thanks a lot for your overwhelming responses. If I will be able to > close this today, it is pretty great. > > Also let me know in 9.0.65 is there any detailed attempt made to log about > the ssl handshake including the ciphers etc.,? You'll get the remote IP, remote port and whatever information is in the exception. https://github.com/apache/tomcat/blob/9.0.x/java/org/apache/tomcat/util/net/NioEndpoint.java#L1776 Mark > > Regards, > > Raghav > > From: Christopher Schultz <ch...@christopherschultz.net> > Date: Friday, 8 July 2022 at 12:05 AM > To: users@tomcat.apache.org <users@tomcat.apache.org> > Subject: Re: AW: SSL handshake failure logs required for auditing purpose > Thomas, > > On 7/7/22 13:36, Thomas Hoffmann (Speed4Trade GmbH) wrote: >> >> >>> -----Ursprüngliche Nachricht----- >>> Von: Thomas Hoffmann (Speed4Trade GmbH) >>> <thomas.hoffm...@speed4trade.com.INVALID> >>> Gesendet: Donnerstag, 7. Juli 2022 19:23 >>> An: Tomcat Users List <users@tomcat.apache.org> >>> Betreff: AW: SSL handshake failure logs required for auditing purpose >>> >>> Hello Raghav, >>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: Ragavendhiran Bhiman (rabhiman) <rabhi...@cisco.com.INVALID> >>>> Gesendet: Donnerstag, 7. Juli 2022 18:13 >>>> An: Tomcat Users List <users@tomcat.apache.org> >>>> Betreff: Re: SSL handshake failure logs required for auditing purpose >>>> >>>> Version of tomcat used 9.0.x. >>>> Kindly help on the ssl logging for auditing purpose other than -D >>>> javax.net option. >>>> >>>> From: Ragavendhiran Bhiman (rabhiman) <rabhi...@cisco.com.INVALID> >>>> Date: Thursday, 7 July 2022 at 9:41 PM >>>> To: users@tomcat.apache.org <users@tomcat.apache.org> >>>> Subject: SSL handshake failure logs required for auditing purpose Hi >>>> All, >>>> >>>> I require your kind help in logging the SSl connection failure logs >>>> including iP in the tomcat, Is there any best way to do It without >>>> performance impact other than -Djava.net debugs in jdk, is there any >>>> direct way from tomcat? Or any way we can derive any class from JSSE >>>> extension classes and add HandShakeListener while using the >>>> connectors. All our SSL connections are going through connectors. So >>>> kindly need your help how to log those SSL connection auditing logs >>> through best method. >>>> Thanks a lot in advance. >>>> >>>> Regards, >>>> Raghav >>> >>> Which OS are you using? >>> Can you use Wireshark or TCPDump for your purposes? >>> If you are using Chrome or FF as Client, you can set the environment >>> variable >>> SSLKEYLOGFILE to write the current key to a file which Wireshark can take to >>> decrypt the traffic. >>> >>> The handshake itself is not encrypted. If the handshake is enough, TCPDump >>> or Wireshark are sufficient. >>> >>> Greetings, >>> Thomas >>> >> >> Short Addendum: >> 1) Do you want to write the log permanently or just for an audit session? >> 2) Which details do you want to log? Agreed cipher? Offered ciphers by the >> client? SNI-header? ...? >> 3) What is the purpose of the logging? >> Insecure ciphers can be mitigated by server configuration. > > I think he wants to implement a poor-mans NIDS. > > Raghav, please be aware that any web browser that first attempts to use > a SSLv3/TLSv1/TLSv1.3 handshake, fails, and retries with a > TLSv1.2/similar handshake will cause massive numbers of false-positives > in your logs. > > I would ask whoever is requesting this logging why they are looking at > such failures. Handshake failures are not always indicative of some kind > of intrusion attempt. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
