Problem...
Tomcat 8.5 -Djava.net.debug=ssl not logging
Porting a REST interface from Glassfish 4 to Tomcat 8.5, works fine.
Glassfish -Djava.net.debug=ssl logs Cipher Suites to server.log.
Tomcat 8.5 the java debug setting doesn't produce any SSL output in the
logs.
Why needed...
Older Glassfish server SSL supports some weak ciphers.
When clients cutover to Tomcat server, many failed to support strict
ciphers.
We need to log failed client ciphers to support clients transition.
Comment...
Running Tomcat on production servers with correct SSL certs, no issues.
Docs say -Djava.net.debug=all/ssl(etc) flag should work.
ps -ef (below) see debug setting passed to java and looks correct.
I think I'm missing something in the logging.properties to get the debug
output captured and passed to log - but I can't figure out what is missing?
Is there a specific handler for the java debug output?
Versions...
Tomcat 8.5.11 (recently updated from 8.0.23)
uname -r... 3.10.0-514.10.2.el7.x86_64 (Centos 7)
getenforce -> Permissive
java -version... java version "1.8.0_121" (Oracle flavor)
Original Connector...
<Connector executor="tomcatThreadPool"
address="M.Y.I.P" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" scheme="https" secure="true"
keystoreFile="./conf/keystore.jks" keystorePass="MYPASS"
keyAlias="MYALIAS"
clientAuth="false"
compression="on" compressionMinSize="2048"
compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
useServerCipherSuitesOrder="true" (etc)
Tried...
1. put in setenv.sh... (shows after logging properties)
JAVA_OPTS="$JAVA_OPTS -Djava.net.debug=ssl"; export JAVA_OPTS
# ps -ef|grep java
/usr/bin/java
-Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Duser.timezone=US/Eastern -Xms128m -Xmx1024m -server
-Doracle.jdbc.autoCommitSpecCompliant=false -Djava.net.debug=ssl
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources -classpath
/opt/apache-tomcat-8.5.11/bin/bootstrap.jar:/opt/apache-tomcat-8.5.11/bin/tomcat-juli.jar
-Dcatalina.base=/opt/apache-tomcat-8.5.11
-Dcatalina.home=/opt/apache-tomcat-8.5.11
-Djava.io.tmpdir=/opt/apache-tomcat-8.5.11/temp
org.apache.catalina.startup.Bootstrap start
2. put in start script... (shows before logging properties)
LOGGING_CONFIG="-Djava.net.debug=ssl
-Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties"
# ps -ef|grep java
/usr/bin/java -Djava.net.debug=ssl
-Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.properties
-Djava.util.logging.manager=(etc...)
3. -Djava.net.debug=ssl both before AND after logging.config
4. server.xml... (tried with and without)
<Valve className="org.apache.catalina.valves.SSLValve" />
5. logging.properties - uncommented all properties, set to ALL (default
file)
6. -Djava.net.debug=all - no difference
7. logging.properties - org.apache.catalina.session.level=ALL
8. reworked all Connectors to 9.0 specs...
<Connector address="M.Y.I.P" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
maxThreads="150" SSLEnabled="true"
defaultSSLHostConfigName="MYHOSTNAME" >
<SSLHostConfig hostName="MYHOSTNAME">
<Certificate certificateKeystoreFile="conf/keystore.jks"
certificateKeystorePassword="MYPASS"
certificateKeyAlias="MYALIAS"
type="RSA" />
honorCipherOrder="true"
protocols="+TLSv1 +TLSv1.1 +TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
(etc)...
TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
</SSLHostConfig>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
