7

I'm running an application (web service) in tomcat with TLS enabled (with certificates both for the client and the server).

I want that my application will be able to send audit message (logging) when TLS handshake fails. For example I want to log when:

  • the client certificate is expired,
  • the client certificate is unknown (not in the server trust store)
  • any other handshake failure

Is there any event that I can catch and handle in order to do that?

My application is web service based and is running in tomcat. Tomcat is handling all network and the TLS layers, and the application does not aware of that.

As I don't open any socket myself, where should I catch this Exception?

Malekai
  • 4,765
  • 5
  • 25
  • 60
Yonatan Maman
  • 2,428
  • 1
  • 24
  • 34
  • Anything you managed to get on this? My requirement is more less matches yours and not finding way out I am using Tomcat 8 and Java 8 version – Vishwa Sep 08 '17 at 11:05

2 Answers2

0

I'm not aware of anything you can add to Tomcat.

Put an Apache HTTPD in front and use a separate, configured, SSL log.

user207421
  • 305,947
  • 44
  • 307
  • 483
-1

Since I spent the past week debugging Tomcat's SSL configuration, I am pretty sure catching javax.net.ssl.SSLHandshakeException in your code and logging it should take care of all three of those errors.

When you instantiate a new webservice connection in your application, that is when the exception will occur.

Nix
  • 57,072
  • 29
  • 149
  • 198
  • my application is web service based and is running in tomcat. Tomcat is handling all the TLS issues, and the application is not aware of that. where should I catch this Exception ? – Yonatan Maman Nov 05 '08 at 21:09
  • my application is the 'server side' (using axis2) it does not initiate anything explicitly – Yonatan Maman Nov 06 '08 at 22:08
  • 1
    Josh, I think you may be talking about catching the exception on the client side? Yanatan is asking about the server side. – Kevin Panko Nov 16 '09 at 23:16