I'm running an application (web service) in tomcat with TLS enabled (with certificates both for the client and the server).

I want that my application will be able to send audit message (logging) when TLS handshake fails. For example I want to log when:

  • the client certificate is expired,
  • the client certificate is unknown (not in the server trust store)
  • any other handshake failure

Is there any event that I can catch and handle in order to do that ?

– Yonatan

My application is web service based and is running in tomcat. Tomcat is handling all network and the TLS layers, and the application does not aware of that.

As I don't open any socket myself, where should I catch this Exception ?

– Yonatan

2 Answers

Community On

Since I spent the past week debugging Tomcat's SSL configuration, I am pretty sure catching javax.net.ssl.SSLHandshakeException in your code and logging it should take care of all three of those errors.

When you instantiate a new webservice connection in your application, that is when the exception will occur.

user207421 On

I'm not aware of anything you can add to Tomcat.

Put an Apache HTTPD in front and use a separate, configured, SSL log.