We're using Tomcat 8.5 + Java 8.
When I do something like openssl s_client -cipher ECDHE-RSA-NULL-SHA -connect
<my-tomcat-ip>:443
(where obviously ECDHE-RSA-NULL-SHA is not specified in my cipher list on the
Tomcat server) the message on the client side is
140701349295768:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 139 bytes
---
New, (NONE), Cipher is (NONE)
But I don't see anything logged by Tomcat on the server side. Not to stdout,
not to catalina,out or any other log file we have.
Apparently for compliance reasons we're required to log any failed connection
attempt. So I'd like to know if and how I can get Tomcat to emit such
information.
I can pass in -Djavax.net.debug=ssl:handshake but that seems rather overkill.
The output for failed handshakes is OK, but for successful handshakes it's
enormous.
I would actually have expected something to be logged in the access log we have
specified in the AccessLogValve specification in server.xml. But it seems that
only reports access events after a successful SSL handshake has taken place.
Does anyone know any other method?
Thanks, in advance.
Mark Boon
