Spring Boot: Create TLS metrics and logging

by

Summary

Moving from Nginx to Spring Boot for TLS handling required implementing metrics and logging for TLS handshake failures. While overwriting the TrustManager in JSSEUtils.getTrustManagers() allowed capturing handshake data, enriching logs with client IP and hostname proved challenging due to the lack of context within the TrustManager.

Root Cause

The TrustManager operates at a low level in the SSL/TLS handshake process, lacking access to higher-level request details like client IP address and hostname.

Why This Happens in Real Systems

  • Layered Architecture: SSL/TLS handshake logic is decoupled from HTTP request handling in Spring Boot.
  • Security Boundaries: TrustManagers focus on certificate validation, not request metadata.

Real-World Impact

  • Incomplete Logging: Handshake failure logs lack critical context for troubleshooting.
  • Delayed Issue Resolution: Missing client IP and hostname hinders identifying problematic clients.

Example or Code (if necessary and relevant)

import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

public class CustomTrustManager implements X509TrustManager {
    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        // Metrics collection logic here
    }

    // Other methods...
}

Note: This code snippet demonstrates a basic TrustManager implementation for metrics collection. Enriching logs with client details requires a different approach.

How Senior Engineers Fix It

  • Leverage SSL Handshake Listeners: Implement a custom SSLHandshakeListener to capture handshake events and associate them with request details.
  • Use Spring Boot Filters: Create a filter that intercepts requests, stores client IP and hostname, and correlates them with handshake events using a unique identifier (e.g., SSL session ID).

Why Juniors Miss It

  • Focus on Low-Level Details: Juniors often get stuck in the TrustManager implementation, overlooking higher-level request handling mechanisms.
  • Lack of System-Wide Perspective: Understanding the interaction between SSL/TLS and HTTP request processing is crucial for solving this problem.

Leave a Comment