On 29/07/2019 22:45, Mark Boon wrote: > We're using Tomcat 8.5 + Java 8. > > When I do something like openssl s_client -cipher ECDHE-RSA-NULL-SHA > -connect <my-tomcat-ip>:443 > (where obviously ECDHE-RSA-NULL-SHA is not specified in my cipher list on the > Tomcat server) the message on the client side is > > 140701349295768:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 > alert handshake failure:s23_clnt.c:769: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 139 bytes > --- > New, (NONE), Cipher is (NONE) > > But I don't see anything logged by Tomcat on the server side. Not to stdout, > not to catalina,out or any other log file we have.
Debug level logging for the appropriate endpoint should log the exception associated with a handshake failure. There is going to be a lot of other logging though. Enabling debug logging for an Endpoint may have a performance impact. > Apparently for compliance reasons we're required to log any failed connection > attempt. So I'd like to know if and how I can get Tomcat to emit such > information. > I can pass in -Djavax.net.debug=ssl:handshake but that seems rather overkill. > The output for failed handshakes is OK, but for successful handshakes it's > enormous. > > I would actually have expected something to be logged in the access log we > have specified in the AccessLogValve specification in server.xml. But it > seems that only reports access events after a successful SSL handshake has > taken place. Generally, processing needs to get as far as presenting a request line before something is added to the access logs. We could look at expanding the access logging to include connections that are dropped earlier but that might be a sufficiently invasive change that it needs to wait until Tomcat 10. Mark > > Does anyone know any other method? > > Thanks, in advance. > > Mark Boon > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org