Hi Mark, My thinking is that the teams requesting that I look into if this is possible or not would prefer to be able to get the more detailed information if possible. How much extra work is required to have a dedicated logger for it, as well as keeping the current message in the current logging?
Thanks again for everything! Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: Mark Thomas <ma...@apache.org> > Sent: Thursday, February 9, 2023 3:24 AM > To: users@tomcat.apache.org > Subject: Re: Basic SSL Certificate Usage logging > > Hi Jon, > > The current message looks like this: > > 09-Feb-2023 09:09:53.939 INFO [main] > org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https- > jsse-nio-8443], TLS virtual host [_default_], certificate type [RSA] > configured > from [conf/localhost-rsa.jks] using alias [tomcat] and with trust store [null] > > The intention is to make clear, for each configured server certificate, which > configuration files are being used. The idea being that you can then examine > the relevant files if there is an issue. > > There is a balance to strike in terms of providing useful detail and providing > too much detail in the default logs. Everything below feels like too much > detail. > > One option would be to switch this message to a dedicated logger and then > provide more/all details if debug logging is enabled. Moving this to a > dedicated logger would allow debug logging to be enabled for that logger > without changing the logging for the entire endpoint. > > Mark > > > On 08/02/2023 18:36, jonmcalexan...@wellsfargo.com.INVALID wrote: > > Hi Mark, > > > > As a follow-up, some of my compatriots are asking if we can get all or some > of these details in the log as well? Wanted to ask early if possible. > > > > • Subject > > o Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells > Fargo,C=US > > o Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US > > o Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells > Fargo,C=US > > • SAN (aka Subject Alternative Names) > > o Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com > > o Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com; > > o Ex: > EMAIL:some.n...@wellsfargo.com;EMAIL:some.name....@wellsfargo.com > > • Issuer > > o Ex: CN=Wells Fargo Enterprise Certification Authority 05-2 > G2,OU=Wells Fargo Certification Authorities,O=Wells Fargo,C=US > > • ValidFrom (aka NotBefore) > > o Ex: 2022-05-18T05:09:27Z > > • ValidTo (aka NotAfter) > > o Ex: 2024-05-17T05:09:27Z > > • KeyUsage > > o Ex: Digital Signature, Key Encipherment, Data Encipherment > > • KeyUsageExtended > > o Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication > (1.3.6.1.5.5.7.3.1) > > • SerialNumber > > o Ex: 6a0006e41935f80460711c187000000006e419 > > • FingerprintSHA1 (aka Thumbprint) > > o Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6 > > • FingerprintSHA256 > > o Ex: > DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4 > E41 > > • PublicKeyAlgo > > o Ex: RSA > > o Ex: ECDSA > > • PublicKeySize > > o Ex: 2048 > > o Ex: P-256 > > > > Thank you, > > > > Dream * Excel * Explore * Inspire > > Jon McAlexander > > Senior Infrastructure Engineer > > Asst. Vice President > > He/His > > > > Middleware Product Engineering > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > MAC: F4469-010 > > Tel 515-988-2508 | Cell 515-988-2508 > > > > jonmcalexan...@wellsfargo.com > > This message may contain confidential and/or privileged information. If you > are not the addressee or authorized to receive this for the addressee, you > must not use, copy, disclose, or take any action based on this message or any > information herein. If you have received this message in error, please advise > the sender immediately by reply e-mail and delete this message. Thank you > for your cooperation. > > > > > >> -----Original Message----- > >> From: Mark Thomas <ma...@apache.org> > >> Sent: Wednesday, February 8, 2023 10:37 AM > >> To: users@tomcat.apache.org > >> Subject: Re: Basic SSL Certificate Usage logging > >> > >> On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote: > >>> Hi Mark, > >>> > >>> So, is this something that can/will be added in the future? I tested > >>> my > >> thought of setting the java logging.properties to a specific file in > >> the command line but it didn't do what I had hoped. > >> > >> Already added. Will be in the next round of releases. > >> > >> Mark > >> > >> > >>> > >>> Thanks, > >>> > >>> Dream * Excel * Explore * Inspire > >>> Jon McAlexander > >>> Senior Infrastructure Engineer > >>> Asst. Vice President > >>> He/His > >>> > >>> Middleware Product Engineering > >>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions > >>> > >>> 8080 Cobblestone Rd | Urbandale, IA 50322 > >>> MAC: F4469-010 > >>> Tel 515-988-2508 | Cell 515-988-2508 > >>> > >>> jonmcalexan...@wellsfargo.com > >>> This message may contain confidential and/or privileged information. > >>> If you > >> are not the addressee or authorized to receive this for the > >> addressee, you must not use, copy, disclose, or take any action based > >> on this message or any information herein. If you have received this > >> message in error, please advise the sender immediately by reply > >> e-mail and delete this message. Thank you for your cooperation. > >>> > >>> > >>>> -----Original Message----- > >>>> From: Mark Thomas <ma...@apache.org> > >>>> Sent: Tuesday, January 10, 2023 8:23 AM > >>>> To: users@tomcat.apache.org > >>>> Subject: Re: Basic SSL Certificate Usage logging > >>>> > >>>> On 10/01/2023 13:52, Christopher Schultz wrote: > >>>>> Jon, > >>>>> > >>>>> On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote: > >>>>>> Yes Chris, It's just for during startup. For a particular > >>>>>> instance I would like to capture the Certificate Info and > >>>>>> Truststore being used and pipe that into a separate log/txt file. > >>>>> So it sounds like just dumping-out the configured certificates, etc. > >>>>> to something like the debug log from Connector or SSLHostConfig or > >>>>> similar would work? > >>>>> > >>>>> Or would you want that information available to the application so > >>>>> you can log it in some very specific way? Note that you can > >>>>> already get the SSLHostConfig info via JMX if you are willing to do > >>>>> that. > >>>> > >>>> How about something like this: > >>>> > >>>> 10-Jan-2023 14:21:07.951 INFO [main] > >>>> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate > >>>> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate > >>>> type [RSA] configured from [conf/localhost-rsa.jks] using alias > >>>> [null] and with trust store [null] > >>>> > >>>> ? > >>>> > >>>> Mark > >>>> > >>>>> > >>>>> -chris > >>>>> > >>>>>> > >>>>>> Thanks, > >>>>>> > >>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior > >>>>>> Infrastructure Engineer Asst. Vice President He/His > >>>>>> > >>>>>> Middleware Product Engineering > >>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions > >>>>>> > >>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322 > >>>>>> MAC: F4469-010 > >>>>>> Tel 515-988-2508 | Cell 515-988-2508 > >>>>>> > >>>>>> jonmcalexan...@wellsfargo.com > >>>>>> This message may contain confidential and/or privileged > information. > >>>>>> If you are not the addressee or authorized to receive this for > >>>>>> the addressee, you must not use, copy, disclose, or take any > >>>>>> action based on this message or any information herein. If you > >>>>>> have received this message in error, please advise the sender > >>>>>> immediately by reply e-mail and delete this message. Thank you > >>>>>> for > >> your cooperation. > >>>>>> > >>>>>>> -----Original Message----- > >>>>>>> From: Christopher Schultz <ch...@christopherschultz.net> > >>>>>>> Sent: Monday, January 9, 2023 8:10 AM > >>>>>>> To: users@tomcat.apache.org > >>>>>>> Subject: Re: Basic SSL Certificate Usage logging > >>>>>>> > >>>>>>> Jon, > >>>>>>> > >>>>>>> On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote: > >>>>>>>> Thanks for the info. > >>>>>>>> > >>>>>>>> In a nutshell I think the certpath,provider would be sufficient. > >>>>>>>> I'm thinking that I can add this to the java options as > >>>>>>>> -Djava.security.debug=ssl:certpath,provider however I don't > >>>>>>>> know how to specify where to log the information. > >>>>>>> java.security.debug is really a blunt instrument. It's > >>>>>>> unfortunate that it's one of the only ways to get information > >>>>>>> out of the TLS stack. It would have been great if Java had > >>>>>>> started using its own logging system once it was introduced, but no. > >>>>>>> > >>>>>>> That debugging tool always dumps to stdout (or stderr?) and you > >>>>>>> have very little control over where it goes. > >>>>>>> > >>>>>>> You would never want to use it for ongoing logging. It truly is > >>>>>>> for > >>>>>>> debugging- > >>>>>>> only. > >>>>>>> > >>>>>>> The good news is that application code should be able to get the > >>>>>>> information you are looking for. > >>>>>>> > >>>>>>> Oh, wait... > >>>>>>> > >>>>>>>> [...] I'm checking to see if there is any out-of-the-box option > >>>>>>>> to capture in a log which SSL certificate and trust keystore is > >>>>>>>> being used during startup? > >>>>>>> What do you mean "during startup"? I originally read that as > >>>>>>> "for incoming connections" thinking that you wanted to log which > >>>>>>> cert was used for a particular request. But it sounds like maybe > >>>>>>> you are asking for something to just be logged one-time during > startup? > >>>>>>> > >>>>>>> -chris > >>>>>>> > >>>>>>>> > >>>>>>>> Thanks, > >>>>>>>> > >>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior > >>>>>>>> Infrastructure Engineer Asst. Vice President He/His > >>>>>>>> > >>>>>>>> Middleware Product Engineering > >>>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions > >>>>>>>> > >>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322 > >>>>>>>> MAC: F4469-010 > >>>>>>>> Tel 515-988-2508 | Cell 515-988-2508 > >>>>>>>> > >>>>>>>> jonmcalexan...@wellsfargo.com > >>>>>>>> This message may contain confidential and/or privileged > >> information. > >>>>>>>> If you > >>>>>>> are not the addressee or authorized to receive this for the > >>>>>>> addressee, you must not use, copy, disclose, or take any action > >>>>>>> based on this message or any information herein. If you have > >>>>>>> received this message in error, please advise the sender > >>>>>>> immediately by reply e-mail and delete this message. Thank you > >>>>>>> for your cooperation. > >>>>>>>> > >>>>>>>>> -----Original Message----- > >>>>>>>>> From: Christopher Schultz <ch...@christopherschultz.net> > >>>>>>>>> Sent: Friday, January 6, 2023 2:41 PM > >>>>>>>>> To: users@tomcat.apache.org > >>>>>>>>> Subject: Re: Basic SSL Certificate Usage logging > >>>>>>>>> > >>>>>>>>> Mark, > >>>>>>>>> > >>>>>>>>> On 1/6/23 15:00, Mark Thomas wrote: > >>>>>>>>>> Hi Jon, > >>>>>>>>>> > >>>>>>>>>> In a word, no. Sorry. > >>>>>>>>>> > >>>>>>>>>> Some sort of info log message probably makes sense for this. > >>>>>>>>>> SNI makes things a little more complicated but we should be > >>>>>>>>>> able to do > >>>>>>> something. > >>>>>>>>>> What is the minimum info you'd like to see? > >>>>>>>>> > >>>>>>>>> How about adding a request attribute with some kind of > >>>>>>>>> identifier (fpr? > >>>>>>>>> serial-number?) in it and indicates at least which server-cert > >>>>>>>>> was chosen. > >>>>>>>>> Then it can trivially be added to e.g. access_log or even to > >>>>>>>>> application code which wants to do custom logging. > >>>>>>>>> > >>>>>>>>> -chris > >>>>>>>>> > >>>>>>>>>> On 06/01/2023 18:52, > jonmcalexan...@wellsfargo.com.INVALID > >>>> wrote: > >>>>>>>>>>> Good afternoon and Happy New Year, > >>>>>>>>>>> > >>>>>>>>>>> I know about the SSL debug logging, however, I'm checking to > >>>>>>>>>>> see if there is any out-of-the-box option to capture in a > >>>>>>>>>>> log which SSL certificate and trust keystore is being used > >>>>>>>>>>> during > >> startup? > >>>>>>>>>>> > >>>>>>>>>>> Thanks, > >>>>>>>>>>> > >>>>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior > >>>>>>>>>>> Infrastructure Engineer Asst. Vice President He/His > >>>>>>>>>>> > >>>>>>>>>>> Middleware Product Engineering Enterprise CIO | EAS | > >>>>>>>>>>> Middleware | Infrastructure Solutions > >>>>>>>>>>> > >>>>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322 > >>>>>>>>>>> MAC: F4469-010 > >>>>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508 > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>> > >> > jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com> > >>>>>>>>>>> This message may contain confidential and/or privileged > >>>> information. > >>>>>>>>>>> If you are not the addressee or authorized to receive this > >>>>>>>>>>> for the addressee, you must not use, copy, disclose, or take > >>>>>>>>>>> any action based on this message or any information herein. > >>>>>>>>>>> If you have received this message in error, please advise > >>>>>>>>>>> the sender immediately by reply e-mail and delete this > >>>>>>>>>>> message. Thank you for > >>>>>>> your cooperation. > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> ------------------------------------------------------------- > >>>>>>>>>> -- > >>>>>>>>>> -- > >>>>>>>>>> --- > >>>>>>>>>> - To unsubscribe, e-mail: users- > unsubscr...@tomcat.apache.org > >>>>>>>>>> For additional commands, e-mail: users- > h...@tomcat.apache.org > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>> -------------------------------------------------------------- > >>>>>>>>> -- > >>>>>>>>> -- > >>>>>>>>> --- To unsubscribe, e-mail: > >>>>>>>>> users-unsubscr...@tomcat.apache.org > >>>>>>>>> For additional commands, e-mail: users- > h...@tomcat.apache.org > >>>>>>>> > >>>>>>>> > >>>>>>>> --------------------------------------------------------------- > >>>>>>>> -- > >>>>>>>> -- > >>>>>>>> -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>>>>>>> > >>>>>>> > >>>>>>> ---------------------------------------------------------------- > >>>>>>> -- > >>>>>>> -- > >>>>>>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>>>>> > >>>>>> > >>>>>> ----------------------------------------------------------------- > >>>>>> -- > >>>>>> -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>>>>> > >>>>> > >>>>> ------------------------------------------------------------------ > >>>>> -- > >>>>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>>>> > >>>> > >>>> ------------------------------------------------------------------- > >>>> -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>> > >>> > >>> -------------------------------------------------------------------- > >>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
