tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Morrison <...@Hi-Tech-Solutions.com>
Subject Tomcat 8.5.11 -Djava.net.debug=ssl not logging
Date Fri, 07 Apr 2017 19:28:46 GMT
Problem...
Tomcat 8.5 -Djava.net.debug=ssl not logging

Porting a REST interface from Glassfish 4 to Tomcat 8.5, works fine.
Glassfish -Djava.net.debug=ssl logs Cipher Suites to server.log.
Tomcat 8.5 the java debug setting doesn't produce any SSL output in the 
logs.

Why needed...
Older Glassfish server SSL supports some weak ciphers.
When clients cutover to Tomcat server, many failed to support strict 
ciphers.
We need to log failed client ciphers to support clients transition.

Comment...
Running Tomcat on production servers with correct SSL certs, no issues.
Docs say -Djava.net.debug=all/ssl(etc) flag should work.
ps -ef (below) see debug setting passed to java and looks correct.
I think I'm missing something in the logging.properties to get the debug
output captured and passed to log - but I can't figure out what is missing?
Is there a specific handler for the java debug output?

Versions...
Tomcat 8.5.11 (recently updated from 8.0.23)
uname -r... 3.10.0-514.10.2.el7.x86_64 (Centos 7)
getenforce -> Permissive
java -version... java version "1.8.0_121" (Oracle flavor)

Original Connector...
<Connector executor="tomcatThreadPool"
            address="M.Y.I.P" port="443"
            protocol="org.apache.coyote.http11.Http11NioProtocol"
            SSLEnabled="true" scheme="https" secure="true"
            keystoreFile="./conf/keystore.jks" keystorePass="MYPASS"
            keyAlias="MYALIAS"
            clientAuth="false"
            compression="on" compressionMinSize="2048"
compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
            useServerCipherSuitesOrder="true" (etc)

Tried...
1.  put in setenv.sh... (shows after logging properties)
JAVA_OPTS="$JAVA_OPTS -Djava.net.debug=ssl"; export JAVA_OPTS

# ps -ef|grep java
/usr/bin/java 
-Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.properties 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 
-Duser.timezone=US/Eastern -Xms128m -Xmx1024m -server 
-Doracle.jdbc.autoCommitSpecCompliant=false -Djava.net.debug=ssl 
-Djdk.tls.ephemeralDHKeySize=2048 
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources -classpath 
/opt/apache-tomcat-8.5.11/bin/bootstrap.jar:/opt/apache-tomcat-8.5.11/bin/tomcat-juli.jar

-Dcatalina.base=/opt/apache-tomcat-8.5.11 
-Dcatalina.home=/opt/apache-tomcat-8.5.11 
-Djava.io.tmpdir=/opt/apache-tomcat-8.5.11/temp 
org.apache.catalina.startup.Bootstrap start

2. put in start script... (shows before logging properties)
LOGGING_CONFIG="-Djava.net.debug=ssl 
-Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties"

# ps -ef|grep java
/usr/bin/java -Djava.net.debug=ssl 
-Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.properties 
-Djava.util.logging.manager=(etc...)

3. -Djava.net.debug=ssl both before AND after logging.config

4. server.xml...  (tried with and without)
       <Valve className="org.apache.catalina.valves.SSLValve" />

5. logging.properties - uncommented all properties, set to ALL (default 
file)

6. -Djava.net.debug=all - no difference

7. logging.properties - org.apache.catalina.session.level=ALL

8. reworked all Connectors to 9.0 specs...
<Connector address="M.Y.I.P" port="443"
             protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
             maxThreads="150" SSLEnabled="true"
             defaultSSLHostConfigName="MYHOSTNAME" >
      <SSLHostConfig hostName="MYHOSTNAME">
          <Certificate certificateKeystoreFile="conf/keystore.jks"
                       certificateKeystorePassword="MYPASS"
                       certificateKeyAlias="MYALIAS"
                       type="RSA" />
             honorCipherOrder="true"
             protocols="+TLSv1 +TLSv1.1 +TLSv1.2"
             ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
             (etc)...
             TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
      </SSLHostConfig>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message