Christopher, No, I don't need to log THAT failure. But I do need to log handshake failures where the failure to connect was a server-side decision. So (apparently) I do need to log cases like a handshake failure in case both sides couldn't agree on a cipher, as detailed in my question. As much as I'd like to declare handshake failures "not my problem", it doesn't help us sell to governments that require this case to be logged. And it's not as if it's technically impossible, as clearly it can be reported by setting javax.net.debug=ssl:handshake. But I want to log just the failure, and not the fire-hose amount of information this gives me for every successful handshake.
Mark ________________________________ From: Christopher Schultz <ch...@christopherschultz.net> Sent: Tuesday, July 30, 2019 8:13 AM To: firstname.lastname@example.org <email@example.com> Subject: Re: Can Tomcat log handshake failures, and where? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark, On 7/29/19 17:45, Mark Boon wrote: > Apparently for compliance reasons we're required to log any failed > connection attempt. So I'd like to know if and how I can get > Tomcat to emit such information. I'd try to get some clarification on that requirement. For example, if a client tries to connect and they have a network error on their end (e.g. ISP fails), are you somehow required to log THAT failure? TLS handshake failures should fall under the category of "not my problem" and you really shouldn't have to log them. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1AXq4ACgkQHPApP6U8 pFjMIA//ctjGwEnC+yRH5awk/uPx8eaiUy63/MVOVf45NAPOs9DoCsHd3X27Mzek lKhwxfc4q8OZICfWyv+nk/VD/aAUwc1LV4ju2tq/1Qe87QQ/KnOs1ySsgTywkOE8 YEoDzVRhKw5mMBjS3Avkw+xTi5eWpUpi/fhStUuntRme+9F0JtXyuRj4V8lkpssa MOg0krWOd4jn0ngxZ1MkCx8Ybh0keKcBpyDBo3jqeZ8PUA4jTYAeVXN5eah7Hi2A kpNWi4ny7f988ZDbufXiYJxP7J3DiZ71+peKxr1NS1CDXrCBMg0xO4j9rcxjJpCY pIaJrttzJzBMjQrmUAPPfrgIYo4LCiwX6K5YFDzifFucBMCtYtHiBZBEjjLh5JJR HKU0jU0pMjru6HaKab76O85nTjMrl5P9ouvbxTPUNxtlEreFH+4cNUyf4CKlOjt2 zkK9RXeJwzpmOSlK2BmW6sC9UpCeFrpIvzBTCdhZ2EGA/ORaMK0Evz+VMSWbTvhs GMi1DIDIZh1X0Vzed9gncNKibjKMwwdEnly5MybI4qXfoPGv8Z+l6T6pjQd6hA+P c2iKjSiPdUHVSoL8iwYzVa7Yqrs+2rqnqVRA/RzX5IU5Jqj6C7A7dPxMWAirAowX M3/4CoqcK+LXqnTY/yZNQqquWrf155KHNTDuRry2CexaBNmL80A= =+jM7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org