-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Manish,
On 2/2/20 11:20 PM, Palod, Manish wrote: > Thanks Chris for considering this for future release. > > In future will the fix be ported into Tomcat 7 also? Let's see if anyone wants to implement this in trunk, first. If you want to prepare some patches/PRs, it's much more likely to go the way you hope. - -chris > -----Original Message----- From: Christopher Schultz > <ch...@christopherschultz.net> Sent: Saturday, February 1, 2020 > 9:54 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for > failure request with unsupported cipher and unsupported SSL > protocol > > Manish, > > On 1/31/20 8:01 PM, Palod, Manish wrote: >> I will look forward for future release with enhanced info about >> connection. > > https://bz.apache.org/bugzilla/show_bug.cgi?id=64110 > > Patches are always welcome. > > -chris > >> -----Original Message----- From: Christopher Schultz >> <ch...@christopherschultz.net> Sent: Saturday, February 1, 2020 >> 12:03 AM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs >> for failure request with unsupported cipher and unsupported SSL >> protocol > >> Manish, > >> On 1/30/20 3:12 AM, Palod, Manish wrote: >>> Thanks Mark and Chris for providing the info. > >>>> IIRC, we are parsing a little of the initial handshake packet >>>> for a few things. Would it be possible to snatch the protocol >>>> version from there and report it in the log file? > >>> Manish> is this available into some log file today > >> No. > >>> and this be added into some future release. > >> I was asking about the feasibility of adding it in the future. >> Mark knows the code very well and is in a good position to >> comment. The data should be available, but we might need to do >> some work to get it into the right place so it makes it into the >> access log itself (since there is no actual "request" in this >> case). > >>>> The cipher suite of course is never going to exist because >>>> there was no overlap between the client and the server, but >>>> the protocol always has a single value for a handshake >>>> attempt. > >>> Manish> What happens in case connection is in TLSv1.2 but with >>> unsupported cipher, will this information show up? >> Theoretically, you could get a report of "TLSv1.2" for the >> protocol, but the cipher suite would say "-" (or similar). > >>> Our requirement is to audit all the connection to the server >>> [successful and failed both] and in case of failure, reason for >>> failure. >> You will never truly be able to know the reason for every >> failure. That requirement is impossible to meet. > >> -chris > >>> -----Original Message----- From: Christopher Schultz >>> <ch...@christopherschultz.net> Sent: Wednesday, January 29, >>> 2020 9:32 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: >>> logs for failure request with unsupported cipher and >>> unsupported SSL protocol > >>> CAUTION: External email. Do not click links or open attachments >>> unless you recognize the sender and know the content is safe. > >>> Mark, > >>> On 1/29/20 7:56 AM, Mark Thomas wrote: >>>> On 29/01/2020 12:40, Palod, Manish wrote: >>>>> Hi All, >>>>> >>>>> >>>>> I am using tomcat 7 and in our server we support connection >>>>> only with "TLSv1.2" and cipher >>>>> "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". >>>>> >>>>> >>>>> >>>>> Following is the Access valve pattern "%{E M/d/y @ >>>>> hh:mm:ss.S a z}t %a (%{X-Forwarded-For}i) > %A:%p >>>>> "%r" %{requestBodyLength}r %D %s %B %I >>>>> "%{Referer}i" "%{User-Agent}i" %u >>>>> %{username}s %{sessionTracker}s with TLS protocol >>>>> %{org.apache.tomcat.util.net.secure_protocol_version}r and >>>>> Cipher %{javax.servlet.request.cipher_suite}r" >>>>> >>>>> >>>>> >>>>> and we are able to see following logs for successful >>>>> connection: >>>>> >>>>> >>>>> >>>>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) > >>>>> <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66, >>>>> "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0 >>>>> (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, >>>>> like Gecko) Chrome/79.0.3945.130 Safari/537.36" - - - with >>>>> TLS protocol TLSv1.2 and Cipher >>>>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>>>> >>>>> >>>>> But in case when request is made with ex. SSLv3, TLSv1 or >>>>> unsupported ciphers, Server is rejecting the request but no >>>>> audit message is coming into the access logs. >>>>> >>>>> How can I get details about these requests with unsupported >>>>> ciphers and unsupported SSL protocols? > >>>> From Tomcat, you can't. > >>>> If you upgrade to 8.5.x onwards you will get a 400 in the >>>> access logs. You won't get the protocol or cipher information >>>> since that requires a successful TLS connection before it is >>>> populated. > >>> IIRC, we are parsing a little of the initial handshake packet >>> for a few things. Would it be possible to snatch the protocol >>> version from there and report it in the log file? The cipher >>> suite of course is never going to exist because there was no >>> overlap between the client and the server, but the protocol >>> always has a single value for a handshake attempt. > >>> -chris > >>> -------------------------------------------------------------------- - - > >>> >>> > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org > > >>> -------------------------------------------------------------------- - - > >>> >>> > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org > > >> --------------------------------------------------------------------- > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > >> --------------------------------------------------------------------- > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl44J9EACgkQHPApP6U8 pFjx0RAAuJq3UIEhPA6QWjPC2afKGoHEPCyUQj/GYKz7RrHRzAG0gcziQpp/RChY MYxs/rbAoEWp0IV3hYrU0S5jH0TeLIq0vgSY+ktYTjFE91p3GYvbZp+/JWfKu6TA 57L+5bmYn9mABhC7flQu4E3Morb9rqBAXym7XcHFKY3+/t1JwoVNnFG4+EyRI5tr JerJqHFb5ofAPvYQv7VTwLfcx+YzU8PxW4eCl+Wcxsuju/FgeuyyjNMMuYvEf428 txIgO48egCYOA3PD271kMiIsSCXyYMsfAVmQG80iHt49kfc0hxpsNejg4PtX6I5+ 6Swpnw8yS/Ituj0dZQk30wvbtJiNhhi4TWXYQ5O7aOTpXR3qNW0MiXNu0HLesk76 dMlf93tGzgcLeFc/aRXB48aFK4cDsoms1sE7HM+zJnWdqLNGTSden9xVVeq3HIoa uHfsRDUa+2NKmocJ2aFfFdmWTqbuxO8Wr7TvpxQtTOI9aw9szshhB8QyQvq1ImGb Nmns0q58G2uJDPO96r9PB1AYryJNCZXCjyOGKhu2z67AsuT6QeR7o3RwSYa3tvgN U+LoQsGUspm1387rfprrQoVfH69I4eP+hgW/LEiUqMEM13MIeByKx1s3D4HdgbDC YT7ul7kWZyOGcBzGkkA7C+jqBxqhTRGFoVGrAs9lkJ1JUqtsGnM= =O6XP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org