PKI 10.4 SSL Audit Design
This page describes the SSL/TLS audit functionality in PKI 10.4.
Currently if an SSL socket is terminated NSS does not provide information about the cause of the termination (i.e. error code) to the application using NSS. This information is necessary to generate the proper audit log in PKI.
The solution is to generate the proper error code in NSS and pass it to JSS, TomcatJSS, and eventually PKI such that it can be used to generate the proper audit log.
Below are the required changes.
The NSS library needs to be enhanced to support callback functions for alerts received and sent by SSL socket such that the SSL error code can be passed on to the SSL socket listener in JSS.
This is documented in NSS SSL Alert Callback.
The JSS library needs to be enhanced to support SSL socket listener using the SSL alert callback provided by NSS. This allows TomcatJSS to register a listener and obtain the SSL error code for all SSL server sockets created by TomcatJSS.
This is documented in JSS SSL Socket Listener.
TomcatJSS needs to be enhanced to support server socket listener using JSS socket listener. This allows PKI server to register a listener and obtain the SSL error code for all server sockets created by the server.
This is documented in TomcatJSS Socket Listener.
PKI Server Enhancements
PKI server needs to register a server socket listener to TomcatJSS and generate the audit logs for all SSL/TLS sessions using the SSL error code provided by NSS.
Since SSL/TLS sessions represent connections to the entire PKI server, not a particular PKI subsystem, ideally there should be only one audit log file for the entire server. However, due to resource constraints to simplify the implementation initially each PKI subsystem will have its own TomcatJSS event listener which will log the session events in the subsystem’s audit log. This means that if a PKI server has multiple subsystems, the events will be logged multiple times, which could affect the performance. In the future the implementation may be improved to generate only one audit log file.
In general the audit log should follow this format:
If the session failed to establish, the following log should be generated:
[AuditEvent=ACCESS_SESSION_ESTABLISH_FAILURE][ClientIP=*][ServerIP=*][AttemptedID=<client cert subje ct DN>][Outcome=][Info=<reason>]
If the session was established successfully, the following log should be generated:
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=*][SubjectID=<client cert subject DN>][Server IP=*][Outcome=][Info=]
When the established session is terminated, the following log should be generated:
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=*][ServerIP=*][SubjectID=<client cert subject DN>][O utcome=][Info=<reason>]
This is documented in PKI Server Audit Log.
PKI Client Enhancements
In order to validate PKI server enhancements, the PKI client needs to support various SSL configuration including ciphers and SSL/TLS version ranges.
This is documented in PKI Environment Variables.