Chapter 13: Using SSL
The whole difference between construction and creation is exactly this: that a thing constructed can only be loved after it is constructed; but a thing created is loved before it exists.
—CHARLES DICKENS
Logback supports the use of the Secure Sockets Layer (SSL) when delivering log events from a socket-based appender to a remote receiver. When using an SSL-enabled appender and corresponding receiver, serialized logging events are delivered over a secure channel.
SSL and Component Roles
Logback components such as appenders and receivers may act in either the server role or the client role, with respect to network connection initiation. When acting in the server role, a logback component passively listens for connections from remote client components. Conversely, a component acting in the client role initiates a connection to remote server component. For example, an appender acting in the client role connects to a receiver acting in the server role. Or a receiver acting in the client role connects to an appender acting in the server role.
The roles of the components are generally determined by the
component type. For example, an SSLServerSocketAppender
is an appender component that acts in the server role, while an
SSLSocketAppender is an appender component that acts
in the client role. Thus the developer or application administrator
can configure Logback components to support the desired direction
of network connection initiation.
The direction of connection initiation is significant in the context of SSL, because in SSL a server component must possess an X.509 credential to identify itself to connecting clients. A client component, when connecting to the server, uses the server's certificate to validate that the server is trusted. The developer or application administrator must be aware of the roles of Logback components, so as to properly configure the server's key store (containing the server's X.509 credential) and the client's trust store (containing self-signed root certificates used when validating server trust).
When SSL is configured for mutual authentication, then both the server component and the client component must possess valid X.509 credentials whose trust can be asserted by their respective peer. Mutual authentication is configured in the server component, therefore the developer or application administrator must be aware of which components are acting in the server role.
In this chapter, we use the term server component or simply server to refer to a Logback component such as an appender or receiver that is acting in the server role. We use the term client component or simply client to refer to a component that is acting in the client role.
SSL and X.509 Certificates
In order to use SSL-enabled Logback components, you will need an X.509 credential (a private key, corresponding certificate, and CA certification chain) to identify your components that act as SSL servers. If you wish to use mutual authentication, you will also need credentials for your components that act as SSL clients.
While you can use a credential issued by a commercial certification authority (CA), you can also use a certificate issued from your own internal CA or even a self-signed certificate. The following is all that is required:
- The server component must be configured with a key store containing the server's private key, corresponding certificate, and CA certification chain (if not using a self-signed certificate).
- The client component must be configured with a trust store containing trusted root CA certificate(s) or the server's self-signed root certificate.
Configuring Logback Components for SSL
The Java Secure Sockets Extension (JSSE) and Java Cryptography Architecture (JCA) which is used to implement Logback's SSL support has many configurable options, and a pluggable provider framework that allows the built-in SSL and cryptographic capabilities of the platform to be replaced or augmented. SSL-enabled Logback components provide the ability to fully specify all of the configurable aspects of the SSL engine and cryptographic providers, to meet your unique security needs.
Basic SSL Configuration using JSSE System Properties
Fortunately, nearly all of the configurable SSL properties for SSL-enabled Logback components have reasonable defaults. In most cases all that is needed is the configuration of some JSSE system properties.
The remainder of this section describes the specific JSSE properties that are needed in most environments. See Customizing JSSE in the JSSE Reference Guide for more information on setting JSSE system properties to customize JSSE.
If you're using any of Logback's SSL-enabled appender or receiver
components that act in the server role (e.g.
SSLServerSocketReceiver,
SSLServerSocketAppender,
or SimpleSSLSocketServer) you'll need to configure
JSSE system properties that provide the location, type, and
password of the key store containing a private key and
certificate.
System Properties for Server Key Store Configuration
| Property Name | Description |
|---|---|
javax.net.ssl.keyStore |
Specifies a filesystem path to the file containing your server components' private key and certificate. |
javax.net.ssl.keyStoreType |
Specifies the key store type. If this property is not specified, the platform's default type (JKS) is assumed. |
javax.net.ssl.keyStorePassword |
Specifies the password needed to access the key store. |
See Examples below for examples of setting these system properties when starting an application that uses Logback's SSL-enabled server components.
If your server component is using a certificate that was signed by a commercial certification authority (CA), you probably don't need to provide any SSL configuration in your applications that use SSL-enabled client components. When using a commercially-signed certificate for your server component, simply setting the system key store properties for JVM that runs the server component is usually all that is needed.
If you are using either a self-signed server certificate or your server certificate was signed by a certification authority (CA) that is not among those whose root certificates are in the Java platform's default trust store (e.g. when your organization has its own internal certification authority), you will need to configure the JSSE system properties that provide the location, type, and password of the trust store containing your server's certificate or trusted root certificates for the certification authority (CA) that signed your server's certificate. These properties will need to be set in each application that utilizes an SSL-enabled client component.
System Properties for Client Trust Store Configuration
| Property Name | Description |
|---|---|
javax.net.ssl.trustStore |
Specifies a filesystem path to the file containing your server component's certificate or trusted root certificate(s) for the certification authority (CA) that signed the server certificate. |
javax.net.ssl.trustStoreType |
Specifies the trust store type. If this property is not specified, the platform's default type (JKS) is assumed. |
javax.net.ssl.trustStorePassword |
Specifies the password needed to access the trust store. |
See Examples below for examples of setting these system properties when starting an application that utilizes Logback's SSL-enabled client components.
Advanced SSL Configuration
In certain situations, the basic SSL configuration using
JSSE system properties is not adequate. For example, if you
are using the SSLServerSocketReceiver component in a web
application, you may wish to use a different credential to
identify your logging server for your remote logging clients
than the credential that your web server uses to identify
itself to web clients. You might wish to use SSL client
authentication on your logging server to ensure that only
authentic and authorized remote loggers can connect. Or perhaps
your organization has strict policies regarding the SSL
protocols and cipher suites that may be utilized on the
organization's network. For any of these needs, you will need
to make use of Logback's advanced configuration options for SSL.
When configuring a Logback component that supports SSL, you
specify the SSL configuration using the ssl
property in the configuration of the component.
For example, if you wish to use SSLServerSocketReceiver
and configure the key store properties for your logging
server's credential, you could use a configuration such as the
following.
<configuration>
<appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger - %msg%n</pattern>
</encoder>
</appender>
<root level="debug">
<appender-ref ref="CONSOLE" />
</root>
<receiver class="ch.qos.logback.classic.net.server.SSLServerSocketReceiver">
<ssl>
<keyStore>
<location>classpath:/logging-server-keystore.jks</location>
<password>changeit</password>
</keyStore>
</ssl>
</receiver>
</configuration>Requires a server call. Please wait a few seconds.
This configuration specifies the location of the key store
as logging-server-keystore.jks at the root of
the application's classpath. You could alternatively
specify a file: URL to identify the location of
the key store.
If you wanted to use SSLSocketAppender in your
application's Logback configuration, but did not want to change
the application's default trust store using the JSSE
javax.net.ssl.trustStore property, you could
configure the appender as follows.
<configuration>
<appender name="SOCKET" class="ch.qos.logback.classic.net.SSLSocketAppender">
<ssl>
<trustStore>
<location>classpath:/logging-server-truststore.jks</location>
<password>changeit</password>
</trustStore>
</ssl>
</appender>
<root level="debug">
<appender-ref ref="SOCKET" />
</root>
</configuration>Requires a server call. Please wait a few seconds.
This configuration specifies the location of the trust store
as logging-server-truststore.jks at the root of
the application's classpath. You could alternatively
specify a file: URL to identify the location of
the trust store.
SSL Configuration Properties
JSSE exposes a large number of configurable options, and
Logback's SSL support makes nearly all of them available for
you to specify in your SSL-enabled component configuration.
When using XML configuration, SSL properties are introduced to
these components by nesting an <ssl> element in the
component configuration. This configuration element corresponds
to the
SSLConfiguration class.
When configuring SSL for your components you need only configure those SSL properties for which the defaults are not adequate. Over-specifying the SSL configuration is often the cause of difficult-to-diagnose problems.
The following table describes the top-level SSL configuration properties. Many of these properties introduce additional subproperties, which are described in tables that follow after the top-level properties are described.
| Property Name | Type | Description |
|---|---|---|
| keyManagerFactory |
KeyManagerFactoryFactoryBean
|
Specifies the configuration used to create a
KeyManagerFactory. The Java platform's default
factory will be used if this property is not configured. See
Key Manager Factory
Configuration
below.
|
| keyStore |
KeyStoreFactoryBean
|
Specifies the configuration used to create a
When configuring an SSL client (e.g. When configuring an SSL server (e.g. See Key Store Configuration below. |
| parameters |
SSLParametersConfiguration |
Specifies various parameters used in SSL session negotiation. See SSL Parameters Configuration below. |
| protocol | String |
Specifies the SSL protocol that will be used to create an
SSLContext.
See the
Standard Names specification in the
JSSE Reference Guide. The Java platform's default protocol
will be used if this property is not configured.
|
| provider | String |
Specifies the name of the JSSE provider that will be used to
create an
SSLContext. The Java platform's default JSSE
provider will be used if this property is not configured.
|
| secureRandom |
SecureRandomFactoryBean
|
Specifies the configuration used to create a
SecureRandom — a secure random number
generator. The Java platform's default generator will be used
if this property is not configured. See
Secure Random Generator
Configuration below.
|
| trustManagerFactory |
TrustManagerFactoryFactoryBean
|
Specifies the configuration used to create a
TrustManagerFactory. The Java platform's default
factory will be used if this property is not configured. See
Trust Manager Factory
below.
|
| trustStore |
KeyStoreFactoryBean
|
Specifies the configuration used to create a
The trust store specified by this property overrides any trust
store specified by the JSSE's |
Key Store Configuration
The
KeyStoreFactoryBean specifies the
configuration needed to create a
KeyStore containing X.509 credentials. The properties
of this factory bean can be used in the
keyStore
and
trustStore
properties of the SSL Configuration.
| Property Name | Type | Description |
|---|---|---|
| location | String |
A URL that specifies the location of the key store. Use
a file: URL to specify the location of the
keystore on a filesystem. Use a classpath:
URL to specify a keystore than can be found on the classpath.
If the URL doesn't specify a scheme, classpath:
is assumed. |
| password | String |
Specifies the password needed to access the key store. |
| provider | String |
Specifies the name of the JCA provider that will be used to
create a KeyStore. The Java
platform's default key store provider will be used if this
property is not configured.
|
| type | String |
Specifies the KeyStore type.
See the
Standard Names specification in the
Java Cryptography Architecture specification. The Java
platform's default key store type will be used if this property
is not configured.
|
Key Manager Factory Configuration
The
KeyManagerFactoryFactoryBean specifies the
configuration needed to create a
KeyManagerFactory. Generally, it isn't necessary
to explicitly configure the key manager factory, as the platform's
default factory is adequate for most needs.
| Property Name | Type | Description |
|---|---|---|
| algorithm | String |
Specifies the KeyManagerFactory algorithm name.
See the
Standard Names specification in the
JSSE Reference Guide. The Java platform's default key
manager algorithm will be used if this property is not configured.
|
| provider | String |
Specifies the name of the JCA provider that will be used to
create a SecureRandom generator. The Java
platform's default JSSE provider will be used if this property
is not configured.
|
Secure Random Generator Configuration
The
SecureRandomFactoryBean specifies the
configuration needed to create a
SecureRandom generator. Generally, it isn't necessary
to explicitly configure the secure random generator, as the platform's
default generator is adequate for most needs.
| Property Name | Type | Description |
|---|---|---|
| algorithm | String |
Specifies the SecureRandom algorithm name.
See the
Standard Names specification in the
Java Cryptography Architecture specification. The Java
platform's default random number generation algorithm will be used
if this property is not configured.
|
| provider | String |
Specifies the name of the JCA provider that will be used to
create a SecureRandom generator. The Java
platform's default JSSE provider will be used if this property
is not configured.
|
SSL Parameters Configuration
The
SSLParametersConfiguration allows the customization
of allowed SSL protocols, cipher suites, and client authentication
options.
| Property Name | Type | Description |
|---|---|---|
| hostnameVerification | boolean |
Specifies whether the client verifies the server's credentials. By default, no verification is performed. |
| excludedCipherSuites | String |
Specifies a comma-separated list of SSL cipher suite names or patterns to disable during session negotiation. This property is used to filter the cipher suites supported by the SSL engine, such that any cipher suite matched by this property is disabled. Each field in the comma-separated list specified for this property may be a simple string or a regular expression. See the Standard Names specification in the JSSE Reference Guide for a list of cipher suite names. |
| includedCipherSuites | String |
Specifies a comma-separated list of SSL cipher suite names or patterns to enable during session negotiation. This property is used to filter the cipher suites supported by the SSL engine, such that only those cipher suites matched by this property are enabled. Each field in the comma-separated list specified for this property may be a simple string or a regular expression. See the Standard Names specification in the JSSE Reference Guide for a list of cipher suite names. |
| excludedProtocols | String |
Specifies a comma-separated list of SSL protocol names or patterns to disable during session negotiation. This property is used to filter the protocols supported by the SSL engine, such that any protocol matched by this property is disabled. Each field in the comma-separated list specified for this property may be a simple string or a regular expression. See the Standard Names specification in the JSSE Reference Guide for a list of protocol names. |
| includedProtocols | String |
Specifies a comma-separated list of SSL protocol names or patterns to enable during session negotiation. This property is used to filter the protocols supported by the SSL engine, such that only those protocols matched by this property are enabled. Each field in the comma-separated list specified for this property may be a simple string or a regular expression. See the Standard Names specification in the JSSE Reference Guide for a list of protocol names. |
| needClientAuth | boolean |
Set this property to the value true to
configure a server to require a valid client
certificate. This property is ignored when configured
for a client component such as SSLSocketAppender.
|
| wantClientAuth | boolean |
Set this property to the value true to
configure the server to request a client
certificate. This property is ignored when configured
for a client component such as SSLSocketAppender.
|
Trust Manager Factory Configuration
The
TrustManagerFactoryFactoryBean specifies the
configuration needed to create a
TrustManagerFactory. Generally, it isn't necessary
to explicitly configure the trust manager factory, as the platform's
default factory is adequate for most needs.
| Property Name | Type | Description |
|---|---|---|
| algorithm | String |
Specifies the TrustManagerFactory algorithm name.
See the
Standard Names specification in the
JSSE Reference Guide. The Java platform's default key
manager algorithm will be used if this property is not configured.
|
| provider | String |
Specifies the name of the JCA provider that will be used to
create a SecureRandom generator. The Java
platform's default JSSE provider will be used if this property
is not configured.
|
Examples
Using JSSE System Properties
JSSE system properties can be used to specify the location and password for a key store containing your server's X.509 credential, or to specify the location and password for a trust store containing self-signed root CA certificates used by your client components to validate server trust.
Specifying the Server's Key Store
When running a server component, you need to specify the location
and password for the key store containing the server's credential.
One way to do this is using JSSE system properties. The following
example shows a command line that could be used to start the
SimpleSSLSocketServer that is shipped with Logback.
java -DkeyStore=/etc/logback-server-keystore.jks \ -DkeyStorePassword=changeit -DkeyStoreType=JKS \ ch.qos.logback.net.SimpleSSLSocketServer 6000 /etc/logback-server-config.xml
Note that when using the JSSE keyStore system property, a path to the key store is specified. When specifying the location in logback.xml, a URL for the key store is specified.
While this example starts the standalone server application provided with Logback, the same system properties could be specified to start any application that uses an SSL-enabled Logback server component.
Specifying the Client's Trust Store
When using a client component, you need to specify the location
and password for a trust store containing root CA certificates used
for validating server trust. One way to do this is using JSSE
system properties. The following example shows a command line
that could be used to start an application named
com.example.MyLoggingApplication that uses one or
more of Logback's SSL-enabled client components.
java -DtrustStore=/etc/logback-client-truststore.jks \ -DtrustStorePassword=changeit -DtrustStoreType=JKS \ com.example.MyLoggingApplication
Note that when using the JSSE trustStore system property, a path to the key store is specified. When specifying the location in logback.xml, a URL for the trust store is specified.
Creating and Using a Self-Signed Server Component Credential
To generate a self-signed certificate, you can use the keytool utility that is shipped with the Java Runtime Environment (JRE). The instructions below walk through the process of creating a self-signed X.509 credential in a key store for your server component and creating a trust store for use with your client components.
Creating the server component credential:
The following command will generate the self-signed client credential in a file named server.keystore.
keytool -genkey -alias server -dname "CN=my-logging-server" \
-keyalg RSA -validity 365 -keystore server.keystore
Enter keystore password: <Enter password of your choosing>
Re-enter new password: <Re-enter same password>
Enter key password for <my-logging-server>
(RETURN if same as keystore password): <Press RETURN>
The name my-logging-server used in the dname may be any valid name of your choosing. You may wish to use the fully-qualified domain name of the server host. The validity argument specifies the number of calendar days from the present date until the credential expires.
In production settings, it is especially important to choose a strong password for the key store containing your server credential. This password protects the server's private key, preventing it from being used by an authorized party. Make note of the password, because you will need it in subsequent steps and when configuring your server.
Creating a trust store for client components:
For use in the configuration of your client components, the server's certificate needs to be exported from the key store created in the previous step, and imported into a trust store. The following commands will export the certificate and import it into a trust store named server.truststore.
keytool -export -rfc -alias server -keystore server.keystore \
-file server.crt
Enter keystore password: <Enter password you chose for in previous step>
keytool -import -alias server -file server.crt -keystore server.truststore
Enter keystore password: <Enter password of your choosing>
Re-enter new password: <Re-enter same password>
Owner: CN=my-logging-server
Issuer: CN=my-logging-server
Serial number: 6e7eea40
Valid from: Sun Mar 31 07:57:29 EDT 2013 until: Mon Mar 31 07:57:29 EDT 2014
...
Trust this certificate? [no]: <Enter "yes">
The first command exports the server's certificate (but not the server's private key) from the key store and into a file named server.crt. The second step creates a new trust store named server.truststore containing the server certificate.
In production settings, it is especially important to choose a strong password for the trust store that is different from the password you chose of the server key store. Make note of this password, because you will need it when configuring your appender clients.
Configuring the server component:
You will need to copy the server.keystore file into your
server application's configuration. The key store can be placed
with your application's classpath resources, or it may simply be
placed somewhere on the server host's filesystem. When specifying
the location of the key store in the configuration, you will use
either a classpath: URL or file: URL, as
appropriate. An example server configuration follows:
Example: Server Component Configuration
<configuration debug="true">
<appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger - %msg%n</pattern>
</encoder>
</appender>
<root level="DEBUG">
<appender-ref ref="CONSOLE" />
</root>
<server class="ch.qos.logback.classic.net.server.SSLServerSocketReceiver">
<ssl>
<keyStore>
<location>classpath:server.keystore</location>
<password>${server.keystore.password}</password>
</keyStore>
</ssl>
</server>
</configuration>This example assumes that the key store is located at the root of the application's classpath.
Note that this configuration specifies the key store password using the server.keystore.password substitution variable. This approach would allow you to avoid storing the password in any configuration file. For example, your application could prompt for this password on the console at startup, and then set the server.keystore.password as a system property using the entered password before configuring the logging system.
Configuring client components:
You will need to copy the server.truststore file into
the application configuration of each application that uses an
SSL-enabled component acting in the client mode. The trust store
can be placed with your application's classpath resources, or it
may simply be placed somewhere on the filesystem. When specifying
the location of the trust store in the configuration, you will use
either a classpath: URL or file: URL, as
appropriate. A example appender client configuration follows:
Example: Appender Client Configuration
<configuration debug="true">
<appender name="SOCKET" class="ch.qos.logback.classic.net.SSLSocketAppender">
<remoteHost>${host}</remoteHost>
<ssl>
<trustStore>
<location>classpath:server.truststore</location>
<password>${server.truststore.password}</password>
</trustStore>
</ssl>
</appender>
<root level="DEBUG">
<appender-ref ref="SOCKET" />
</root>
</configuration>This example assumes that the trust store is located at the root of the application's classpath.
Note that this configuration specifies the trust store password using the server.truststore.password substitution variable. This approach would allow you to avoid storing the password in any configuration file. For example, your application could prompt for this password on the console at startup, and then set the server.truststore.password as a system property using the entered password before configuring the logging system.
Auditing the SSL Configuration
In settings where secure communications are required, it is often
necessary to audit the configuration of components that use SSL to
validate conformance with local security policies. The SSL
support in Logback addresses this need by providing detailed
logging of SSL configuration when Logback is initialized. You can
enable audit logging using the debug property in the
configuration:
<configuration debug="true">
...
</configuration>With the debug property enabled, all of the relevant aspects of the resulting SSL configuration will be logged when the logging system is initialized. A representative example of the information logged for SSL follows.
Example: SSL Configuration Audit Logging
06:46:31,941 |-INFO in SSLServerSocketReceiver@4ef18d37 - SSL protocol 'SSL' provider 'SunJSSE version 1.6' 06:46:31,967 |-INFO in SSLServerSocketReceiver@4ef18d37 - key store of type 'JKS' provider 'SUN version 1.6': file:src/main/java/chapters/appenders/socket/ssl/keystore.jks 06:46:31,967 |-INFO in SSLServerSocketReceiver@4ef18d37 - key manager algorithm 'SunX509' provider 'SunJSSE version 1.6' 06:46:31,973 |-INFO in SSLServerSocketReceiver@4ef18d37 - secure random algorithm 'SHA1PRNG' provider 'SUN version 1.6' 06:46:32,755 |-INFO in SSLParametersConfiguration@4a6f19d5 - enabled protocol: SSLv2Hello 06:46:32,755 |-INFO in SSLParametersConfiguration@4a6f19d5 - enabled protocol: SSLv3 06:46:32,755 |-INFO in SSLParametersConfiguration@4a6f19d5 - enabled protocol: TLSv1 06:46:32,756 |-INFO in SSLParametersConfiguration@4a6f19d5 - enabled cipher suite: SSL_RSA_WITH_RC4_128_MD5 06:46:32,756 |-INFO in SSLParametersConfiguration@4a6f19d5 - enabled cipher suite: SSL_RSA_WITH_RC4_128_SHA 06:46:32,756 |-INFO in SSLParametersConfiguration@4a6f19d5 - enabled cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
The output shown here has been truncated for brevity's sake, but would typically include the complete list of protocols, providers, algorithms, and cipher suites, as well as the location of key store and trust store resources utilized in the configuration.
While none of this audit logging is particularly sensitive,
best practices for security would suggest that this logging should
not remain enabled in production settings after the configuration
has been validated. Audit logging is disabled when the
debug property is removed or set to false.
Resolving SSL Exceptions
When SSL is misconfigured, it generally results in the client and server components being unable to negotiate an agreeable session. This problem usually manifests itself as exceptions being thrown by both parties when the client attempts to connect to the server.
The content of the exception messages varies depending on whether you are looking at the client's log or the server's log. This is mostly due to inherent protocol limitations in error reporting during session negotiation. As a consequence of this fact, in order to troubleshoot session negotiation problems, you will usually want to look at the logs of both the client and the server.
Server's Certificate is Not Available
When starting the server component, you see the following exception in the log:
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled
In most cases this means that you have not configured the location of the key store containing the server's private key and corresponding certificate.
Solution
Using either the Key Store system properties or the keyStore property of the server component's ssl property, you must specify the location and password for the key store containing the server's private key and certificate.
Client Does Not Trust the Server
When the client attempts to connect to the server, you see the following exception in the log:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed
This problem is the result of the server presenting a certificate the client does not trust. The most common cause is that you are using a self-signed server certificate (or a server certificate that was signed by your organization's internal certification authority) and you have not configured the client so that it references a trust store containing the server's self-signed certificate (or the trusted root certificate(s) for the CA that signed your server certificate).
This problem can also occur if your server certificate has expired or has been revoked. If you have access to the server log you will likely see the following exception logged each time the client attempts to connect:
javax.net.ssl.SSLHandshakeException: Received fatal alert: ...
The remainder of the exception message will usually provide a code that indicates why the client rejected the server's certificate.
| Code | Description |
|---|---|
certificate_unknown |
Usually indicates that the client's trust store has not been properly configured. |
certificate_expired |
Indicates that the server's certificate has expired and needs to be replaced. |
certificate_revoked |
Indicates that the issuing certification authority (CA) has revoked the server's certificate and the certificate needs to be replaced. |
Solutions
If the server's log message is reporting certificate_unknown
then using either the Trust Store system
properties or the
trustStore property of the
appender component's ssl property,
you must specify the location and password for the trust
store containing the server's self-signed certificate or
the issuing certificate authority's root certificate.
If the server's log message is reporting
certificate_expired or certificate_revoked
the server needs a new certificate. The new certificate
and associated private key needs to be placed in the key store
specified in the server's configuration. And, if using
a self-signed server certificate, the server's certificate also
needs to be placed in the trust store specified in the appender
client's configuration.
Server Does Not Trust the Client
NOTE: This problem can occur only if you have explicitly configured the server to request a client certificate (using either the needClientAuth or wantClientAuth property).
When the client attempts to connect to the logging server, you see the following exception in the client's log:
javax.net.ssl.SSLHandshakeException: Received fatal alert: ...
The remainder of the exception message will usually provide a code that indicates why the server rejected the client's certificate.
| Code | Description |
|---|---|
certificate_unknown |
Usually indicates that the server's trust store has not been properly configured. |
certificate_expired |
Indicates that the client's certificate has expired and needs to be replaced. |
certificate_revoked |
Indicates that the issuing certification authority (CA) has revoked the client's certificate and the certificate needs to be replaced. |
Solutions
If the client's log message is reporting bad_certificate
then using either the Trust Store system
properties or the
trustStore property of the
server component's ssl property,
you must specify the location and password for the trust
store containing the client's self-signed certificate or
the issuing certificate authority's root certificate.
If the server's log message is reporting
certificate_expired or certificate_revoked
the client needs a new certificate. The new certificate
and associated private key needs to be placed in the key store
specified in the client's configuration. And, if using
a self-signed client certificate, the client's certificate also
needs to be placed in the trust store specified in the
servers's configuration.
Client and Server Cannot Agree on a Protocol
NOTE: This problem usually occurs only when you are explicitly excluding or including SSL protocols in your configuration.
When the client attempts to connect to the server, you see the following exception in the log:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
The server's log message is usually more descriptive. For example:
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
Generally, this means that you have excluded a protocol from one of the peers and not the other.
Solution
Check the values specified for the excludedProtocols and includedProtocols properties on both the server and client.
Client and Server Cannot Agree on a Cipher Suite
NOTE: This problem usually occurs only when you are explicitly excluding or including SSL cipher suites in your configuration.
When the client attempts to connect to the server, you see the following exception in the log:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
The server's log message is usually more descriptive:
javax.net.ssl.SSLHandshakeException: no cipher suites in common
This means that you have configured the cipher suites on the server and client such that the intersection of their respective sets of enabled cipher suites is empty.
Solution
Check the values specified for the excludedCipherSuites and includedCipherSuites properties on both the server and client.