仅在具有Java的Tomcat 8+上启用日志记录SSL握手失败(审核目的日志)
当REST客户端尝试连接到我的应用程序时,如果SSL握手失败,我需要记录。该应用程序使用Spring Boot和Java 8构建并部署在Tomcat 8上。
I need to log if a SSL handshake fails while a REST client tries to connect to my application. The application is build using Spring Boot and Java 8 and deployed on Tomcat 8.
在SSL握手失败的情况下,由于TLS连接中断,因此日志记录要求可能会必须在Tomcat层或Java中完成,因为Tomcat在我的情况下使用底层JVM进行SSL证书验证。
In the scenario of SSL handshake failing, since the TLS connection is broken, the logging requirement might have to be done in the Tomcat layer or Java, since Tomcat is using underlying JVM for SSL certificate validation in my case.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" keystoreFile="keyStore-1.jks" keystorePass="password" keystoreType="jks" truststoreFile="TrustStore.jks" truststorePass="passwrd" truststoreType="jks" clientAuth="want" sslProtocol="TLSv1.2" />
我知道启用调试级别日志记录。
I am aware of enabling the debug level logging.
-Djavax.net.debug = ssl
-Djavax.net.debug=ssl
但是这记录了很多信息并且会减慢这个过程。并记录成功的SSL条件。有没有办法单独使用Java或Tomcat级别的最小日志启用故障案例。
But this logs a lot of information and will slow down the process. And log the success SSL valdiations also. Is there a way to enable the failure cases alone with minimum logs either at Java or Tomcat level.
我不是从调试的角度看这个,因为SSL调试日志非常好。
此要求更多来自日志记录和审计目的,并且启用调试日志不是一个可行的选项。仅记录SSL发生的错误而不是所有十六进制/证书数据的机制。
I am NOT looking this from a debugging perspective, as the SSL debug logs are very good for that. This requirement is more from a logging and auditing purpose and enabling the debug logs is not a feasible option.A mechanism that logs only the errors happening SSL and not all the hex/cert data.
不幸的是,这是不可能的。它与Tomcat无关。
记录SSL不是应用程序中标准日志记录的一部分。
您可以尝试使用以下选项减少输出:
Unfortunately, it is not possible likely. And it is not related to Tomcat. Logging of SSL it is not part of standard logging in your application. You could try reduce output with following option:
-Djava.net.debug=handshake
其他一些人:
- 记录 - 打印每个SSL记录的跟踪(在SSL协议级别)。
- 握手 - 打印收到的每个握手消息
- keygen - 打印密钥交换的密钥生成数据。
- 会话 - 打印SSL会话活动。
- defaultctx - 打印默认的SSL初始化信息。
- sslctx - 打印有关SSL上下文的信息。
- sessioncache - 打印有关SSL会话缓存的信息。
- keymanager - 打印有关密钥管理器调用的信息。
- trustmanager - 打印有关对信任管理器的调用的信息。
- 数据 - 用于握手跟踪,打印出每条消息的十六进制转储。
- 详细 - 对于握手追踪,打印出详细信息。
- plaintext - 对于记录跟踪,打印出记录的十六进制转储。
- record - Print a trace of each SSL record (at the SSL protocol level).
- handshake - Print each handshake message as it is received
- keygen - Print key generation data for the secret key exchange.
- session - Print SSL session activity.
- defaultctx - Print the default SSL initialization information.
- sslctx - Print information about the SSL context.
- sessioncache - Print information about the SSL session cache.
- keymanager - Print information about calls to the key manager.
- trustmanager - Print information about calls to the trust manager.
- data - For handshake tracing, print out a hex dump of each message.
- verbose - For handshake tracing, print out verbose information.
- plaintext - For record tracing, print out a hex dump of the record.
参见 docs 。
如果你确实需要这个并且性能对你的应用至关重要,你可以使用 SSLSocket (在你可以阅读有关握手过程的文档中)与 ASM / Btrace / etc并检查其内部的握手状态。但在这种情况下你不会有调试信息 - 只有真/假。
If you really need this and performance is critical for your application, you could instrument SSLSocket (in docs you could read about handshake process) with ASM/Btrace /etc and check the state of handshake inside it. But in that case you wouldn't have debug information - only true/false.
另见 Tomcat docs ,包含所有可用设置。在那里你可以读到 JSSEImplementation 类,用于Tomcat。它是JSSE的包装。
See also Tomcat docs with all available settings. There you can read that there is JSSEImplementation class, which is used in Tomcat. And it is wrapper for JSSE.