Custom Error when SSL handshake fails

Question

I have a SpringBoot REST application deployed on Tomcat 8.I have configured SSL authentication for the APIs exposed.

PFB the configuration in Tomcat.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    keystoreFile="D:/sw/apache-tomcat-8.0.23/conf/jks/ServerKeystore.p12" keystorePass="password" keystoreType="PKCS12"
    truststoreFile="D:/sw/apache-tomcat-8.0.23/conf/jks/Keystore.p12" truststorePass="password12" truststoreType="PKCS12"
    clientAuth="true" sslProtocol="TLSv1.2" />

I want to throw a custom error message(may be any configuration in tomcat files), when an authorized client with wrong certificates or no certificates tries to hit the server. Presently iam getting a http response code 0.

I have been trying to find out this a lot. Can this be done by any configuration in tomcat.Is this the correct behaviour for SSL authenication failure?

Answer 1

If the SSL handshake fails no custom error is possible since there is neither a plain HTTP connection nor a valid HTTPS connection established to send this error. Thus the peer gets at most a TLS alert and will present the builtin error message for such a problem.

Answer 2

You will have to write your own implementation of the JSSE wrapper class used by Tomcat and configured using the sslImplementationName connector attribute. That wrapper will have to supply your custom version of a socket factory that does the logging you want. You might be able to get away with a minimal subclass that just does more logging, and just delegates everything to the Tomcat stock JSSE implementation.