On 10/01/2023 13:52, Christopher Schultz wrote:
Jon,
On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
Yes Chris, It's just for during startup. For a particular instance I
would like to capture the Certificate Info and Truststore being used
and pipe that into a separate log/txt file.
So it sounds like just dumping-out the configured certificates, etc. to
something like the debug log from Connector or SSLHostConfig or similar
would work?
Or would you want that information available to the application so you
can log it in some very specific way? Note that you can already get the
SSLHostConfig info via JMX if you are willing to do that.
How about something like this:
10-Jan-2023 14:21:07.951 INFO [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
[https-jsse-nio-8443], TLS virtual host [_default_], Certificate type
[RSA] configured from [conf/localhost-rsa.jks] using alias [null] and
with trust store [null]
?
Mark
-chris
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply e-mail
and delete this message. Thank you for your cooperation.
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Monday, January 9, 2023 8:10 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging
Jon,
On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
Thanks for the info.
In a nutshell I think the certpath,provider would be sufficient. I'm
thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know how
to specify where to log the information.
java.security.debug is really a blunt instrument. It's unfortunate
that it's one
of the only ways to get information out of the TLS stack. It would
have been
great if Java had started using its own logging system once it was
introduced,
but no.
That debugging tool always dumps to stdout (or stderr?) and you have
very
little control over where it goes.
You would never want to use it for ongoing logging. It truly is for
debugging-
only.
The good news is that application code should be able to get the
information
you are looking for.
Oh, wait...
[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?
What do you mean "during startup"? I originally read that as "for
incoming
connections" thinking that you wanted to log which cert was used for a
particular request. But it sounds like maybe you are asking for
something to
just be logged one-time during startup?
-chris
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information.
If you
are not the addressee or authorized to receive this for the
addressee, you
must not use, copy, disclose, or take any action based on this
message or any
information herein. If you have received this message in error,
please advise
the sender immediately by reply e-mail and delete this message. Thank
you
for your cooperation.
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Friday, January 6, 2023 2:41 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging
Mark,
On 1/6/23 15:00, Mark Thomas wrote:
Hi Jon,
In a word, no. Sorry.
Some sort of info log message probably makes sense for this. SNI
makes things a little more complicated but we should be able to do
something.
What is the minimum info you'd like to see?
How about adding a request attribute with some kind of identifier
(fpr?
serial-number?) in it and indicates at least which server-cert was
chosen.
Then it can trivially be added to e.g. access_log or even to
application code which wants to do custom logging.
-chris
On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:
Good afternoon and Happy New Year,
I know about the SSL debug logging, however, I'm checking to see if
there is any out-of-the-box option to capture in a log which SSL
certificate and trust keystore is being used during startup?
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action
based on this message or any information herein. If you have
received this message in error, please advise the sender
immediately by reply e-mail and delete this message. Thank you for
your cooperation.
--------------------------------------------------------------------
- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
