tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Tomcat 8.5.11 -Djava.net.debug=ssl not logging
Date Sat, 08 Apr 2017 09:04:53 GMT
2017-04-07 22:28 GMT+03:00 Daniel Morrison <dem@hi-tech-solutions.com>:
> Problem...
> Tomcat 8.5 -Djava.net.debug=ssl not logging

1. Googling finds that it is "javax.net.debug", s/java/javax/

http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

2. I wonder whether they are going to rename s/ssl/tls/ one day.

3. There is diagnostic page in the Manager webapp
In the main page of Manage webapp scroll down -> "Diagnostics" section
-> button "Connector ciphers"

4. Test tools by Christopher Schultz - see archives of this mailing
list for discussions

https://wiki.apache.org/tomcat/tools/SSLTest.java
https://wiki.apache.org/tomcat/tools/SSLUtils.java



> Porting a REST interface from Glassfish 4 to Tomcat 8.5, works fine.
> Glassfish -Djava.net.debug=ssl logs Cipher Suites to server.log.
> Tomcat 8.5 the java debug setting doesn't produce any SSL output in the
> logs.
>
> Why needed...
> Older Glassfish server SSL supports some weak ciphers.
> When clients cutover to Tomcat server, many failed to support strict
> ciphers.
> We need to log failed client ciphers to support clients transition.
>
> Comment...
> Running Tomcat on production servers with correct SSL certs, no issues.
> Docs say -Djava.net.debug=all/ssl(etc) flag should work.
> ps -ef (below) see debug setting passed to java and looks correct.
> I think I'm missing something in the logging.properties to get the debug
> output captured and passed to log - but I can't figure out what is missing?
> Is there a specific handler for the java debug output?
>
> Versions...
> Tomcat 8.5.11 (recently updated from 8.0.23)
> uname -r... 3.10.0-514.10.2.el7.x86_64 (Centos 7)
> getenforce -> Permissive
> java -version... java version "1.8.0_121" (Oracle flavor)
>
> Original Connector...
> <Connector executor="tomcatThreadPool"
>            address="M.Y.I.P" port="443"
>            protocol="org.apache.coyote.http11.Http11NioProtocol"
>            SSLEnabled="true" scheme="https" secure="true"
>            keystoreFile="./conf/keystore.jks" keystorePass="MYPASS"
>            keyAlias="MYALIAS"
>            clientAuth="false"
>            compression="on" compressionMinSize="2048"
> compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
>            useServerCipherSuitesOrder="true" (etc)

5. Personally, I do not recommend enabling compression for dynamic
data on HTTPS connectors
https://en.wikipedia.org/wiki/BREACH

One possible solution is to precompress static files and let
DefaultServlet serve them. See "precompressed" option at
http://tomcat.apache.org/tomcat-8.5-doc/default-servlet.html

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message