Re: Logging TLS Session Failures

2017-03-10 Thread Durga Srinivasu Karuturi
Thanks, Will explore JSSE options. On Thu, Mar 9, 2017 at 7:18 PM, Jammy Chen wrote: > If you are using JSSE which you mentioned in earlier post, you probably can > only enable debug for all or specially one > -Djavax.net.debug=ssl:record or -Djavax.net.debug=ssl:handshake -

Re: Logging TLS Session Failures

2017-03-09 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Durga, On 3/9/17 3:34 AM, Durga Srinivasu Karuturi wrote: > This is one of the requirement from FIPS/CC certification. Can you provide a reference for this requirement? - -chris > On Wed, Mar 8, 2017 at 11:03 PM, Christopher Schultz < >

Re: Logging TLS Session Failures

2017-03-09 Thread Jammy Chen
If you are using JSSE which you mentioned in earlier post, you probably can only enable debug for all or specially one -Djavax.net.debug=ssl:record or -Djavax.net.debug=ssl:handshake - but it will log all sessions You could try to register a customized SSL socket factory in JSSE, you may extend

Re: Logging TLS Session Failures

2017-03-09 Thread Durga Srinivasu Karuturi
Our application meaning on RHEL machine within JVM with embedded tomcat (with single web-app) Okay, tomcat may not have this information on handshake failures. I need to see little higher level for capturing these failures. Thanks for answers so far. Thanks, Durga Srinivasu On Thu, Mar 9,

Re: Logging TLS Session Failures

2017-03-09 Thread tomcat
On 09.03.2017 09:34, Durga Srinivasu Karuturi wrote: This is one of the requirement from FIPS/CC certification. Thanks, Durga Srinivasu Durga, I believe that in your original post, you said : "We have a requirement in our application to log all TLS session failures." You should probably

Re: Logging TLS Session Failures

2017-03-09 Thread Durga Srinivasu Karuturi
This is one of the requirement from FIPS/CC certification. Thanks, Durga Srinivasu On Wed, Mar 8, 2017 at 11:03 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Durga, > > On 3/8/17 10:02 AM, Durga Srinivasu Karuturi wrote: >

Re: Logging TLS Session Failures

2017-03-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Durga, On 3/8/17 10:02 AM, Durga Srinivasu Karuturi wrote: > We are using JSSE only not APR. Looking for handshake failures. > > Yes, using JSSE SSL debug, we are able to get all handshake > (-Djavax.net.debug=ssl:handshake) logs including

Re: Logging TLS Session Failures

2017-03-08 Thread Durga Srinivasu Karuturi
Chris, We are using JSSE only not APR. Looking for handshake failures. Yes, using JSSE SSL debug, we are able to get all handshake (-Djavax.net.debug=ssl:handshake) logs including success cases. These are still quite bit expense logs and meant for debug purposes. As you said it might impact

Re: Logging TLS Session Failures

2017-03-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Durga, On 3/8/17 9:29 AM, Durga Srinivasu Karuturi wrote: > We have a requirement in our application to log all TLS session > failures. Specifically, what kind of failures? Failed handshakes? Initial or re-negotiation? Are you using JSSE or APR?

Logging TLS Session Failures

2017-03-08 Thread Durga Srinivasu Karuturi
Hi, We have a requirement in our application to log all TLS session failures. We are using Tomcat 8.5.11 using JSSE for SSL layer. Is there any way to configure tomcat to log/trace any TLS Failure on tomcat sessions? Thanks, Durga Srinivasu