I'm running an application (web service) in tomcat with TLS enabled (with certificates both for the client and the server).

I want that my application will be able to send audit message (logging) when TLS handshake fails. For example I want to log when:

  • the client certificate is expired,
  • the client certificate is unknown (not in the server trust store)
  • any other handshake failure

Is there any event that I can catch and handle in order to do that ?

– Yonatan


My application is web service based and is running in tomcat. Tomcat is handling all network and the TLS layers, and the application does not aware of that.

As I don't open any socket myself, where should I catch this Exception ?

– Yonatan

2 Answers

-1
Community On

Since I spent the past week debugging Tomcat's SSL configuration, I am pretty sure catching javax.net.ssl.SSLHandshakeException in your code and logging it should take care of all three of those errors.

When you instantiate a new webservice connection in your application, that is when the exception will occur.

0
user207421 On

I'm not aware of anything you can add to Tomcat.

Put an Apache HTTPD in front and use a separate, configured, SSL log.