问题
I'm running an application (web service) in tomcat with TLS enabled (with certificates both for the client and the server).
I want that my application will be able to send audit message (logging) when TLS handshake fails. For example I want to log when:
- the client certificate is expired,
- the client certificate is unknown (not in the server trust store)
- any other handshake failure
Is there any event that I can catch and handle in order to do that?
My application is web service based and is running in tomcat. Tomcat is handling all network and the TLS layers, and the application does not aware of that.
As I don't open any socket myself, where should I catch this Exception?
回答1:
I'm not aware of anything you can add to Tomcat.
Put an Apache HTTPD in front and use a separate, configured, SSL log.
回答2:
Since I spent the past week debugging Tomcat's SSL configuration, I am pretty sure catching javax.net.ssl.SSLHandshakeException in your code and logging it should take care of all three of those errors.
When you instantiate a new webservice connection in your application, that is when the exception will occur.
来源:https://stackoverflow.com/questions/266606/is-it-possible-to-do-a-tls-handshake-event-in-tomcat