We're using Tomcat 8.5 + Java 8.

When I do something like openssl s_client -cipher ECDHE-RSA-NULL-SHA  -connect 
(where obviously ECDHE-RSA-NULL-SHA is not specified in my cipher list on the 
Tomcat server) the message on the client side is

140701349295768:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert 
handshake failure:s23_clnt.c:769:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 139 bytes
New, (NONE), Cipher is (NONE)

But I don't see anything logged by Tomcat on the server side. Not to stdout, 
not to catalina,out or any other log file we have.
Apparently for compliance reasons we're required to log any failed connection 
attempt. So I'd like to know if and how I can get Tomcat to emit such 
I can pass in -Djavax.net.debug=ssl:handshake but that seems rather overkill. 
The output for failed handshakes is OK, but for successful handshakes it's 

I would actually have expected something to be logged in the access log we have 
specified in the AccessLogValve specification in server.xml. But it seems that 
only reports access events after a successful SSL handshake has taken place.

Does anyone know any other method?

Thanks, in advance.

    Mark Boon

Reply via email to