On 29/07/2019 22:45, Mark Boon wrote:
> We're using Tomcat 8.5 + Java 8.
> When I do something like openssl s_client -cipher ECDHE-RSA-NULL-SHA  
> -connect <my-tomcat-ip>:443
> (where obviously ECDHE-RSA-NULL-SHA is not specified in my cipher list on the 
> Tomcat server) the message on the client side is
> 140701349295768:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 
> alert handshake failure:s23_clnt.c:769:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 139 bytes
> ---
> New, (NONE), Cipher is (NONE)
> But I don't see anything logged by Tomcat on the server side. Not to stdout, 
> not to catalina,out or any other log file we have.

Debug level logging for the appropriate endpoint should log the
exception associated with a handshake failure. There is going to be a
lot of other logging though. Enabling debug logging for an Endpoint may
have a performance impact.

> Apparently for compliance reasons we're required to log any failed connection 
> attempt. So I'd like to know if and how I can get Tomcat to emit such 
> information.
> I can pass in -Djavax.net.debug=ssl:handshake but that seems rather overkill. 
> The output for failed handshakes is OK, but for successful handshakes it's 
> enormous.
> I would actually have expected something to be logged in the access log we 
> have specified in the AccessLogValve specification in server.xml. But it 
> seems that only reports access events after a successful SSL handshake has 
> taken place.

Generally, processing needs to get as far as presenting a request line
before something is added to the access logs. We could look at expanding
the access logging to include connections that are dropped earlier but
that might be a sufficiently invasive change that it needs to wait until
Tomcat 10.


> Does anyone know any other method?
> Thanks, in advance.
>     Mark Boon

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to