当前位置:theitroad>仅在使用 Java 的 Tomcat 8+ 上启用日志记录 SSL 握手失败(审计目的日志)

仅在使用 Java 的 Tomcat 8+ 上启用日志记录 SSL 握手失败(审计目的日志)

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/42857957/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-11-03 06:55:10  来源:igfitidea点击:

Enable Logging SSL handshake failure(Audit purpose logs) only on Tomcat 8+ with Java

javasecuritytomcatssl

提问by Manu

I need to log if a SSL handshake fails while a REST client tries to connect to my application. The application is build using Spring Boot and Java 8 and deployed on Tomcat 8.

如果 REST 客户端尝试连接到我的应用程序时 SSL 握手失败,我需要记录。该应用程序是使用 Spring Boot 和 Java 8 构建的,并部署在 Tomcat 8 上。

In the scenario of SSL handshake failing, since the TLS connection is broken, the logging requirement might have to be done in the Tomcat layer or Java, since Tomcat is using underlying JVM for SSL certificate validation in my case.

在 SSL 握手失败的情况下,由于 TLS 连接中断,日志记录要求可能必须在 Tomcat 层或 Java 中完成,因为在我的情况下,Tomcat 使用底层 JVM 进行 SSL 证书验证。

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" keystoreFile="keyStore-1.jks" keystorePass="password" keystoreType="jks" truststoreFile="TrustStore.jks" truststorePass="passwrd" truststoreType="jks" clientAuth="want" sslProtocol="TLSv1.2" />

I am aware of enabling the debug level logging.

我知道启用调试级别日志记录。

-Djavax.net.debug=ssl

-Djavax.net.debug=ssl

But this logs a lot of information and will slow down the process. And log the success SSL valdiations also. Is there a way to enable the failure cases alone with minimum logs either at Java or Tomcat level.

但这会记录大量信息并且会减慢进程。并记录成功的 SSL 验证。有没有办法在 Java 或 Tomcat 级别以最少的日志单独启用失败案例。

I am NOT looking this from a debugging perspective, as the SSL debug logs are very good for that. This requirement is more from a logging and auditing purpose and enabling the debug logs is not a feasible option.A mechanism that logs only the errors happening SSL and not all the hex/cert data.

我不是从调试的角度来看这个的,因为 SSL 调试日志对此非常有用。这个要求更多是出于日志记录和审计的目的,启用调试日志不是一个可行的选项。只记录发生 SSL 的错误而不是所有十六进制/证书数据的机制。

回答by egorlitvinenko

Unfortunately, it is not possible likely. And it is not related to Tomcat. Logging of SSL it is not part of standard logging in your application. You could try reduce output with following option:

不幸的是,这是不可能的。并且与Tomcat无关。SSL 的日志记录它不是应用程序中标准日志记录的一部分。您可以尝试使用以下选项减少输出:

-Djava.net.debug=handshake

Some others:

其他一些:

  • record - Print a trace of each SSL record (at the SSL protocol level).
  • handshake - Print each handshake message as it is received
  • keygen - Print key generation data for the secret key exchange.
  • session - Print SSL session activity.
  • defaultctx - Print the default SSL initialization information.
  • sslctx - Print information about the SSL context.
  • sessioncache - Print information about the SSL session cache.
  • keymanager - Print information about calls to the key manager.
  • trustmanager - Print information about calls to the trust manager.
  • data - For handshake tracing, print out a hex dump of each message.
  • verbose - For handshake tracing, print out verbose information.
  • plaintext - For record tracing, print out a hex dump of the record.
  • record - 打印每个 SSL 记录的跟踪(在 SSL 协议级别)。
  • 握手 - 打印收到的每个握手消息
  • keygen - 打印密钥交换的密钥生成数据。
  • session - 打印 SSL 会话活动。
  • defaultctx - 打印默认 SSL 初始化信息。
  • sslctx - 打印有关 SSL 上下文的信息。
  • sessioncache - 打印有关 SSL 会话缓存的信息。
  • keymanager - 打印有关调用密钥管理器的信息。
  • trustmanager - 打印有关调用信任管理器的信息。
  • 数据 - 对于握手跟踪,打印出每条消息的十六进制转储。
  • 详细 - 对于握手跟踪,打印详细信息。
  • 明文 - 对于记录跟踪,打印出记录的十六进制转储。

See docs.

请参阅文档

If you really need this and performance is critical for your application, you could instrument SSLSocket(in docs you could read about handshake process) with ASM/Btrace/etc and check the state of handshake inside it. But in that case you wouldn't have debug information - only true/false.

如果您真的需要这个并且性能对您的应用程序至关重要,您可以使用ASM/ Btrace/etc检测SSLSocket(在文档中您可以阅读有关握手过程的信息)并检查其中的握手状态。但在那种情况下,您将没有调试信息 - 只有 true/false。

See also Tomcat docswith all available settings. There you can read that there is JSSEImplementationclass, which is used in Tomcat. And it is wrapper for JSSE.

另请参阅包含所有可用设置的Tomcat 文档。在那里你可以读到有JSSEImplementation类,它在 Tomcat 中使用。它是 JSSE 的包装器。

回答by Dhaumik

I had same issue many times and i cracked it as following way. i had my project setup in intelliJ.

我多次遇到同样的问题,我按照以下方式破解它。我在 intelliJ 中设置了我的项目。

  1. set Debug level of the VM option : -Djavax.net.debug=all (Edit Configurations->VM Options) save and apply.
  2. Run project(App) in debug mode and check the calls between server and client. you will find there will be additional CertificateRequest call from the server to client in console as below for instance.
  1. 设置 VM 选项的调试级别:-Djavax.net.debug=all (Edit Configurations->VM Options) 保存并应用。
  2. 在调试模式下运行项目(App)并检查服务器和客户端之间的调用。您会发现在控制台中会有额外的从服务器到客户端的 CertificateRequest 调用,如下所示。

*** CertificateRequest Cert Types: RSA, DSS, ECDSA Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA224withRSA, Unknown (hash:0x3, signature:0x2), SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA Cert Authorities:

*** CertificateRequest 证书类型:RSA、DSS、ECDSA 支持的签名算法:SHA512withRSA、未知(散列:0x6、签名:0x2)、SHA512withECDSA、SHA384withRSA、未知(散列:0x5、签名:0x2)、SHA384withRSA、RSA、RSA、未知(未知)哈希:0x4,签名:0x2),SHA256withECDSA,SHA224withRSA,未知(哈希:0x3,签名:0x2),SHA224withECDSA,SHA1withRSA,SHA1withDSA,SHA1withECDSA 认证机构:

CN=Symantec Public Class 3, O=Symantec Corporation, C=US

CN=Symantec Public Class 3,O=Symantec Corporation,C=US

CN=Symantec Class 3 Manage, OU=Symantec Trusted Network, O=Symantec, C=US

CN=Symantec Class 3 Manage,OU=Symantec Trusted Network,O=Symantec,C=US

[read] MD5 and SHA1 hashes: len = 302

[阅读] MD5 和 SHA1 哈希值:len = 302

  1. If you can see certificate request with "CN" as above that means you are missing these certs in cacert keystore.
  1. 如果您可以看到上面带有“CN”的证书请求,则意味着您在 cacert 密钥库中缺少这些证书。

Solution : add missing certs (for our example two certs CN=Symantec Public Class 3 and CN=Symantec Class 3 Manage).

解决方案:添加缺少的证书(对于我们的示例,两个证书 CN=Symantec Public Class 3 和 CN=Symantec Class 3 Manage)。

we have to understand the calls between server and client by the SSL Protocol, please check the following link to get more information how server and client communicate.

我们必须通过 SSL 协议了解服务器和客户端之间的调用,请查看以下链接以获取更多信息服务器和客户端如何通信。

https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallProbs

https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallProbs

I will give youtube video demo if someone have issue.

如果有人有问题,我会提供 youtube 视频演示。

I hope this solution will help someone.

我希望这个解决方案会对某人有所帮助。

Thank You.

谢谢。

相关推荐

java 对象映射器读取值

java 对象映射器读取值

java 即时运行不起作用

java 即时运行不起作用

java JSON 从键中提取值

java JSON 从键中提取值

java Spring Boot - 不支持请求方法“POST”(不允许方法)

java Spring Boot - 不支持请求方法“POST”(不允许方法)

相关推荐
最近更新
标签