Enable Logging SSL handshake failure(Audit purpose logs) only on Tomcat 8+ with Java

Question

I need to log if a SSL handshake fails while a REST client tries to connect to my application. The application is build using Spring Boot and Java 8 and deployed on Tomcat 8.

Answer 1

I had same issue many times and i cracked it as following way. i had my project setup in intelliJ.

1. set Debug level of the VM option : -Djavax.net.debug=all (Edit Configurations->VM Options) save and apply.
2. Run project(App) in debug mode and check the calls between server and client. you will find there will be additional CertificateRequest call from the server to client in console as below for instance.

*** CertificateRequest Cert Types: RSA, DSS, ECDSA Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA224withRSA, Unknown (hash:0x3, signature:0x2), SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA Cert Authorities:

CN=Symantec Public Class 3, O=Symantec Corporation, C=US

CN=Symantec Class 3 Manage, OU=Symantec Trusted Network, O=Symantec, C=US

[read] MD5 and SHA1 hashes: len = 302

3. If you can see certificate request with "CN" as above that means you are missing these certs in cacert keystore.

Solution : add missing certs (for our example two certs CN=Symantec Public Class 3 and CN=Symantec Class 3 Manage).

we have to understand the calls between server and client by the SSL Protocol, please check the following link to get more information how server and client communicate.

https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallProbs

I will give youtube video demo if someone have issue.

I hope this solution will help someone.

Thank You.