-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Thursday, February 9, 2023 3:24 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging
Hi Jon,
The current message looks like this:
09-Feb-2023 09:09:53.939 INFO [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector
[https-
jsse-nio-8443], TLS virtual host [_default_], certificate type [RSA]
configured
from [conf/localhost-rsa.jks] using alias [tomcat] and with trust
store [null]
The intention is to make clear, for each configured server
certificate, which
configuration files are being used. The idea being that you can then
examine
the relevant files if there is an issue.
There is a balance to strike in terms of providing useful detail and
providing
too much detail in the default logs. Everything below feels like too
much
detail.
One option would be to switch this message to a dedicated logger and
then
provide more/all details if debug logging is enabled. Moving this to a
dedicated logger would allow debug logging to be enabled for that logger
without changing the logging for the entire endpoint.
Mark
On 08/02/2023 18:36, jonmcalexan...@wellsfargo.com.INVALID wrote:
Hi Mark,
As a follow-up, some of my compatriots are asking if we can get all
or some
of these details in the log as well? Wanted to ask early if possible.
• Subject
o Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells
Fargo,C=US
o Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
o Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells
Fargo,C=US
• SAN (aka Subject Alternative Names)
o Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
o Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
o Ex:
EMAIL:some.n...@wellsfargo.com;EMAIL:some.name....@wellsfargo.com
• Issuer
o Ex: CN=Wells Fargo Enterprise Certification Authority 05-2
G2,OU=Wells Fargo Certification Authorities,O=Wells Fargo,C=US
• ValidFrom (aka NotBefore)
o Ex: 2022-05-18T05:09:27Z
• ValidTo (aka NotAfter)
o Ex: 2024-05-17T05:09:27Z
• KeyUsage
o Ex: Digital Signature, Key Encipherment, Data Encipherment
• KeyUsageExtended
o Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server
Authentication
(1.3.6.1.5.5.7.3.1)
• SerialNumber
o Ex: 6a0006e41935f80460711c187000000006e419
• FingerprintSHA1 (aka Thumbprint)
o Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
• FingerprintSHA256
o Ex:
DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4
E41
• PublicKeyAlgo
o Ex: RSA
o Ex: ECDSA
• PublicKeySize
o Ex: 2048
o Ex: P-256
Thank you,
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information.
If you
are not the addressee or authorized to receive this for the
addressee, you
must not use, copy, disclose, or take any action based on this
message or any
information herein. If you have received this message in error,
please advise
the sender immediately by reply e-mail and delete this message. Thank
you
for your cooperation.
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, February 8, 2023 10:37 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging
On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:
Hi Mark,
So, is this something that can/will be added in the future? I tested
my
thought of setting the java logging.properties to a specific file in
the command line but it didn't do what I had hoped.
Already added. Will be in the next round of releases.
Mark
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information.
If you
are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Tuesday, January 10, 2023 8:23 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging
On 10/01/2023 13:52, Christopher Schultz wrote:
Jon,
On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
Yes Chris, It's just for during startup. For a particular
instance I would like to capture the Certificate Info and
Truststore being used and pipe that into a separate log/txt file.
So it sounds like just dumping-out the configured certificates,
etc.
to something like the debug log from Connector or SSLHostConfig or
similar would work?
Or would you want that information available to the application so
you can log it in some very specific way? Note that you can
already get the SSLHostConfig info via JMX if you are willing to
do that.
How about something like this:
10-Jan-2023 14:21:07.951 INFO [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
[https-jsse-nio-8443], TLS virtual host [_default_], Certificate
type [RSA] configured from [conf/localhost-rsa.jks] using alias
[null] and with trust store [null]
?
Mark
-chris
Thanks,
Dream * Excel * Explore * Inspire Jon McAlexander Senior
Infrastructure Engineer Asst. Vice President He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged
information.
If you are not the addressee or authorized to receive this for
the addressee, you must not use, copy, disclose, or take any
action based on this message or any information herein. If you
have received this message in error, please advise the sender
immediately by reply e-mail and delete this message. Thank you
for
your cooperation.
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Monday, January 9, 2023 8:10 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging
Jon,
On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
Thanks for the info.
In a nutshell I think the certpath,provider would be sufficient.
I'm thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't
know how to specify where to log the information.
java.security.debug is really a blunt instrument. It's
unfortunate that it's one of the only ways to get information
out of the TLS stack. It would have been great if Java had
started using its own logging system once it was introduced,
but no.
That debugging tool always dumps to stdout (or stderr?) and you
have very little control over where it goes.
You would never want to use it for ongoing logging. It truly is
for
debugging-
only.
The good news is that application code should be able to get the
information you are looking for.
Oh, wait...
[...] I'm checking to see if there is any out-of-the-box option
to capture in a log which SSL certificate and trust keystore is
being used during startup?
What do you mean "during startup"? I originally read that as
"for incoming connections" thinking that you wanted to log which
cert was used for a particular request. But it sounds like maybe
you are asking for something to just be logged one-time during
startup?
-chris
Thanks,
Dream * Excel * Explore * Inspire Jon McAlexander Senior
Infrastructure Engineer Asst. Vice President He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged
information.
If you
are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action
based on this message or any information herein. If you have
received this message in error, please advise the sender
immediately by reply e-mail and delete this message. Thank you
for your cooperation.
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Friday, January 6, 2023 2:41 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging
Mark,
On 1/6/23 15:00, Mark Thomas wrote:
Hi Jon,
In a word, no. Sorry.
Some sort of info log message probably makes sense for this.
SNI makes things a little more complicated but we should be
able to do
something.
What is the minimum info you'd like to see?
How about adding a request attribute with some kind of
identifier (fpr?
serial-number?) in it and indicates at least which server-cert
was chosen.
Then it can trivially be added to e.g. access_log or even to
application code which wants to do custom logging.
-chris
On 06/01/2023 18:52,
jonmcalexan...@wellsfargo.com.INVALID
wrote:
Good afternoon and Happy New Year,
I know about the SSL debug logging, however, I'm checking to
see if there is any out-of-the-box option to capture in a
log which SSL certificate and trust keystore is being used
during
startup?
Thanks,
Dream * Excel * Explore * Inspire Jon McAlexander Senior
Infrastructure Engineer Asst. Vice President He/His
Middleware Product Engineering Enterprise CIO | EAS |
Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
This message may contain confidential and/or privileged
information.
If you are not the addressee or authorized to receive this
for the addressee, you must not use, copy, disclose, or take
any action based on this message or any information herein.
If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this
message. Thank you for
your cooperation.
-------------------------------------------------------------
--
--
---
- To unsubscribe, e-mail: users-
unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-
h...@tomcat.apache.org
--------------------------------------------------------------
--
--
--- To unsubscribe, e-mail:
users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-
h...@tomcat.apache.org
---------------------------------------------------------------
--
--
-- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
----------------------------------------------------------------
--
--
- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-----------------------------------------------------------------
--
-- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
------------------------------------------------------------------
--
- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-------------------------------------------------------------------
-- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--------------------------------------------------------------------
- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
