Christopher,
No, I don't need to log THAT failure. But I do need to log handshake failures
where the failure to connect was a server-side decision. So (apparently) I do
need to log cases like a handshake failure in case both sides couldn't agree on
a cipher, as detailed in my question. As much as I'd like to declare handshake
failures "not my problem", it doesn't help us sell to governments that require
this case to be logged. And it's not as if it's technically impossible, as
clearly it can be reported by setting javax.net.debug=ssl:handshake. But I want
to log just the failure, and not the fire-hose amount of information this gives
me for every successful handshake.
Mark
________________________________
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, July 30, 2019 8:13 AM
To: users@tomcat.apache.org <users@tomcat.apache.org>
Subject: Re: Can Tomcat log handshake failures, and where?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 7/29/19 17:45, Mark Boon wrote:
> Apparently for compliance reasons we're required to log any failed
> connection attempt. So I'd like to know if and how I can get
> Tomcat to emit such information.
I'd try to get some clarification on that requirement. For example, if
a client tries to connect and they have a network error on their end
(e.g. ISP fails), are you somehow required to log THAT failure?
TLS handshake failures should fall under the category of "not my
problem" and you really shouldn't have to log them.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1AXq4ACgkQHPApP6U8
pFjMIA//ctjGwEnC+yRH5awk/uPx8eaiUy63/MVOVf45NAPOs9DoCsHd3X27Mzek
lKhwxfc4q8OZICfWyv+nk/VD/aAUwc1LV4ju2tq/1Qe87QQ/KnOs1ySsgTywkOE8
YEoDzVRhKw5mMBjS3Avkw+xTi5eWpUpi/fhStUuntRme+9F0JtXyuRj4V8lkpssa
MOg0krWOd4jn0ngxZ1MkCx8Ybh0keKcBpyDBo3jqeZ8PUA4jTYAeVXN5eah7Hi2A
kpNWi4ny7f988ZDbufXiYJxP7J3DiZ71+peKxr1NS1CDXrCBMg0xO4j9rcxjJpCY
pIaJrttzJzBMjQrmUAPPfrgIYo4LCiwX6K5YFDzifFucBMCtYtHiBZBEjjLh5JJR
HKU0jU0pMjru6HaKab76O85nTjMrl5P9ouvbxTPUNxtlEreFH+4cNUyf4CKlOjt2
zkK9RXeJwzpmOSlK2BmW6sC9UpCeFrpIvzBTCdhZ2EGA/ORaMK0Evz+VMSWbTvhs
GMi1DIDIZh1X0Vzed9gncNKibjKMwwdEnly5MybI4qXfoPGv8Z+l6T6pjQd6hA+P
c2iKjSiPdUHVSoL8iwYzVa7Yqrs+2rqnqVRA/RzX5IU5Jqj6C7A7dPxMWAirAowX
M3/4CoqcK+LXqnTY/yZNQqquWrf155KHNTDuRry2CexaBNmL80A=
=+jM7
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
