This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 95aa22e6dc Provide a dedicated logger for TLS handshake failures
95aa22e6dc is described below
commit 95aa22e6dc493fbac81e2ac94896fde40463e492
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Jun 13 17:07:23 2022 +0100
Provide a dedicated logger for TLS handshake failures
---
java/org/apache/tomcat/util/net/LocalStrings.properties | 3 +--
java/org/apache/tomcat/util/net/LocalStrings_fr.properties | 1 -
java/org/apache/tomcat/util/net/LocalStrings_ja.properties | 1 -
java/org/apache/tomcat/util/net/LocalStrings_ko.properties | 1 -
java/org/apache/tomcat/util/net/LocalStrings_zh_CN.properties | 1 -
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 6 ++++--
java/org/apache/tomcat/util/net/NioEndpoint.java | 6 ++++--
java/org/apache/tomcat/util/net/SecureNio2Channel.java | 4 +---
java/org/apache/tomcat/util/net/SecureNioChannel.java | 4 +---
webapps/docs/changelog.xml | 9 +++++++++
webapps/docs/ssl-howto.xml | 5 +++++
11 files changed, 25 insertions(+), 16 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index 77add9f56f..18a006139b 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -41,7 +41,6 @@ channel.nio.ssl.unexpectedStatusDuringUnwrap=Unexpected
status [{0}] during hand
channel.nio.ssl.unexpectedStatusDuringWrap=Unexpected status [{0}] during
handshake WRAP.
channel.nio.ssl.unwrapFail=Unable to unwrap data, invalid status [{0}]
channel.nio.ssl.unwrapFailResize=Unable to unwrap data because buffer is too
small, invalid status [{0}]
-channel.nio.ssl.wrapException=Handshake failed during wrap
channel.nio.ssl.wrapFail=Unable to wrap data, invalid status [{0}]
endpoint.accept.fail=Socket accept failed
@@ -83,7 +82,7 @@ endpoint.err.accept=Failed to accept socket for end point
[{0}]
endpoint.err.attach=Failed to attach SSLContext to socket - error [{0}]
endpoint.err.close=Caught exception trying to close socket
endpoint.err.duplicateAccept=Duplicate socket accept detected. This is a known
Linux kernel bug. The original connection has been processed normally and the
duplicate has been ignored. The client should be unaffected. Updating the OS to
a version that uses kernel 5.10 or later should fix the duplicate accept bug.
-endpoint.err.handshake=Handshake failed
+endpoint.err.handshake=Handshake failed for client connection from IP address
[{0}] and port [{1}]
endpoint.err.unexpected=Unexpected error processing socket
endpoint.executor.fail=Executor rejected socket [{0}] for processing
endpoint.getAttribute=[{0}] is [{1}]
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_fr.properties
b/java/org/apache/tomcat/util/net/LocalStrings_fr.properties
index 0a638eef41..b259f21dea 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_fr.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_fr.properties
@@ -41,7 +41,6 @@ channel.nio.ssl.unexpectedStatusDuringUnwrap=Statut inattendu
[{0}] lors de l''U
channel.nio.ssl.unexpectedStatusDuringWrap=Statut inattendu [{0}] lors du WRAP
de la négociation
channel.nio.ssl.unwrapFail=Incapable de désenrober les données ("unwrap
data"), statut invalide [{0}]
channel.nio.ssl.unwrapFailResize=Impossible de faire l''unwrap des données
parce que le tampon est trop petit, statut invalide [{0}]
-channel.nio.ssl.wrapException=La négociation a échouée pendant le wrap
channel.nio.ssl.wrapFail=Impossible d''enrober (wrap) les données, le status
est invalide [{0}]
endpoint.accept.fail=Aucun socket n'a pu être accepté
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
b/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
index 6d8d1e1f67..a6e74bd6fc 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
@@ -41,7 +41,6 @@ channel.nio.ssl.unexpectedStatusDuringUnwrap=UNWRAPハンドシェイク中に
channel.nio.ssl.unexpectedStatusDuringWrap=ハンドシェイクWRAP中に予期しないステータス [{0}]
が発生しました。
channel.nio.ssl.unwrapFail=データをアンラップできません、無効なステータス [{0}]
channel.nio.ssl.unwrapFailResize=バッファが小さすぎるためデータをアンラップできません。無効なステータス [{0}]
-channel.nio.ssl.wrapException=ラップ中にハンドシェイクに失敗しました
channel.nio.ssl.wrapFail=データをラップできません。無効なステータス [{0}]
endpoint.accept.fail=ソケット受け付け失敗
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_ko.properties
b/java/org/apache/tomcat/util/net/LocalStrings_ko.properties
index 20e6856310..098943a92a 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_ko.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_ko.properties
@@ -41,7 +41,6 @@ channel.nio.ssl.unexpectedStatusDuringUnwrap=Handshake UNWRAP
처리 중 예기
channel.nio.ssl.unexpectedStatusDuringWrap=WRAP을 위해 handshake 수행 중 예기치 않은 상태
[{0}]입니다.
channel.nio.ssl.unwrapFail=데이터를 unwrap할 수 없습니다. 유효하지 상태: [{0}]
channel.nio.ssl.unwrapFailResize=버퍼가 너무 작아서 데이터를 unwrap할 수 없습니다. 유효하지 않은 상태
[{0}]
-channel.nio.ssl.wrapException=Wrap하는 중 handshake가 실패했습니다.
channel.nio.ssl.wrapFail=데이터를 wrap할 수 없습니다. 유효하지 않은 상태 [{0}]
endpoint.accept.fail=소켓 accept 실패
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_zh_CN.properties
b/java/org/apache/tomcat/util/net/LocalStrings_zh_CN.properties
index 73d1618384..1ce998f16d 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_zh_CN.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_zh_CN.properties
@@ -41,7 +41,6 @@ channel.nio.ssl.unexpectedStatusDuringUnwrap=握手展开期间出现意外状
channel.nio.ssl.unexpectedStatusDuringWrap=握手WRAP期间出现意外状态[{0}]。
channel.nio.ssl.unwrapFail=无法解包数据,无效状态 [{0}]
channel.nio.ssl.unwrapFailResize=由于缓冲区太小无法解包数据,无效状态 [{0}]
-channel.nio.ssl.wrapException=包装期间握手失败
channel.nio.ssl.wrapFail=无法包装数据,状态无效[{0}]
endpoint.accept.fail=套接字接受失败
diff --git a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
index b82dae29d7..e453fc67e0 100644
--- a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+++ b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
@@ -59,6 +59,7 @@ public class Nio2Endpoint extends
AbstractJsseEndpoint<Nio2Channel,AsynchronousS
private static final Log log = LogFactory.getLog(Nio2Endpoint.class);
+ private static final Log logHandshake =
LogFactory.getLog(Nio2Endpoint.class.getName() + ".handshake");
// ----------------------------------------------------------------- Fields
@@ -1695,8 +1696,9 @@ public class Nio2Endpoint extends
AbstractJsseEndpoint<Nio2Channel,AsynchronousS
}
} catch (IOException x) {
handshake = -1;
- if (log.isDebugEnabled()) {
- log.debug(sm.getString("endpoint.err.handshake"), x);
+ if (logHandshake.isDebugEnabled()) {
+
logHandshake.debug(sm.getString("endpoint.err.handshake",
+ socketWrapper.getRemoteAddr(),
Integer.toString(socketWrapper.getRemotePort())), x);
}
}
if (handshake == 0) {
diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java
b/java/org/apache/tomcat/util/net/NioEndpoint.java
index 70a1778338..2c4cde8bc9 100644
--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
@@ -75,6 +75,7 @@ public class NioEndpoint extends
AbstractJsseEndpoint<NioChannel,SocketChannel>
private static final Log log = LogFactory.getLog(NioEndpoint.class);
+ private static final Log logHandshake =
LogFactory.getLog(NioEndpoint.class.getName() + ".handshake");
public static final int OP_REGISTER = 0x100; //register interest op
@@ -1676,8 +1677,9 @@ public class NioEndpoint extends
AbstractJsseEndpoint<NioChannel,SocketChannel>
}
} catch (IOException x) {
handshake = -1;
- if (log.isDebugEnabled()) {
- log.debug(sm.getString("endpoint.err.handshake"),x);
+ if (logHandshake.isDebugEnabled()) {
+
logHandshake.debug(sm.getString("endpoint.err.handshake",
+ socketWrapper.getRemoteAddr(),
Integer.toString(socketWrapper.getRemotePort())), x);
}
} catch (CancelledKeyException ckx) {
handshake = -1;
diff --git a/java/org/apache/tomcat/util/net/SecureNio2Channel.java
b/java/org/apache/tomcat/util/net/SecureNio2Channel.java
index 7eeee7bb86..c83e7559fc 100644
--- a/java/org/apache/tomcat/util/net/SecureNio2Channel.java
+++ b/java/org/apache/tomcat/util/net/SecureNio2Channel.java
@@ -283,10 +283,8 @@ public class SecureNio2Channel extends Nio2Channel {
try {
handshake = handshakeWrap();
} catch (SSLException e) {
- if (log.isDebugEnabled()) {
-
log.debug(sm.getString("channel.nio.ssl.wrapException"), e);
- }
handshake = handshakeWrap();
+ throw e;
}
if (handshake.getStatus() == Status.OK) {
if (handshakeStatus == HandshakeStatus.NEED_TASK) {
diff --git a/java/org/apache/tomcat/util/net/SecureNioChannel.java
b/java/org/apache/tomcat/util/net/SecureNioChannel.java
index 9ba6e297fc..ef2ba19945 100644
--- a/java/org/apache/tomcat/util/net/SecureNioChannel.java
+++ b/java/org/apache/tomcat/util/net/SecureNioChannel.java
@@ -189,10 +189,8 @@ public class SecureNioChannel extends NioChannel {
try {
handshake = handshakeWrap(write);
} catch (SSLException e) {
- if (log.isDebugEnabled()) {
-
log.debug(sm.getString("channel.nio.ssl.wrapException"), e);
- }
handshake = handshakeWrap(write);
+ throw e;
}
if (handshake.getStatus() == Status.OK) {
if (handshakeStatus == HandshakeStatus.NEED_TASK) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 352b0afbc3..d563715ed7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,15 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 8.5.82 (schultz)" rtext="in development">
+ <subsection name="Coyote">
+ <changelog>
+ <add>
+ Provide a dedicated logger
+ (<code>org.apache.tomcat.util.net.NioEndpoint.handshake</code>) for TLS
+ handshake failures. (markt)
+ </add>
+ </changelog>
+ </subsection>
<subsection name="Other">
<changelog>
<update>
diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml
index 62bef32a85..dd357d9e53 100644
--- a/webapps/docs/ssl-howto.xml
+++ b/webapps/docs/ssl-howto.xml
@@ -565,6 +565,11 @@ for more information about installation of APR. A basic
OCSP-enabled connector
<section name="Troubleshooting">
+<p>Additional information may be obtained about TLS handshake failures by
+configuring the dedicated TLS handshake logger to log debug level messages by
+adding the following to
<code>$CATALINA_BASE/conf/logging.properties</code>:</p>
+<source>org.apache.tomcat.util.net.NioEndpoint.handshake.level=FINE</source>
+
<p>Here is a list of common problems that you may encounter when setting up
SSL communications, and what to do about them.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
