Hi Chris, I am trying to debug the source code to find out the place where I will have to make changes to receive cipher and protocol in case of failures Not too much success.
I have narrowed upto few potential classes [may be right direction] org/apache/tomcat/util/net/JIoEndpoint.java org/apache/tomcat/util/net/jsse/JSSESocketFactory.java org/apache/tomcat/util/threads/TaskThread.java if you can help me pointing out the classes where I will have to change the code, I will debug and work on them. Regards Manish -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Monday, February 3, 2020 7:32 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for failure request with unsupported cipher and unsupported SSL protocol -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Manish, On 2/2/20 11:20 PM, Palod, Manish wrote: > Thanks Chris for considering this for future release. > > In future will the fix be ported into Tomcat 7 also? Let's see if anyone wants to implement this in trunk, first. If you want to prepare some patches/PRs, it's much more likely to go the way you hope. - -chris > -----Original Message----- From: Christopher Schultz > <ch...@christopherschultz.net> Sent: Saturday, February 1, 2020 > 9:54 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for > failure request with unsupported cipher and unsupported SSL protocol > > Manish, > > On 1/31/20 8:01 PM, Palod, Manish wrote: >> I will look forward for future release with enhanced info about >> connection. > > https://bz.apache.org/bugzilla/show_bug.cgi?id=64110 > > Patches are always welcome. > > -chris > >> -----Original Message----- From: Christopher Schultz >> <ch...@christopherschultz.net> Sent: Saturday, February 1, 2020 >> 12:03 AM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for >> failure request with unsupported cipher and unsupported SSL protocol > >> Manish, > >> On 1/30/20 3:12 AM, Palod, Manish wrote: >>> Thanks Mark and Chris for providing the info. > >>>> IIRC, we are parsing a little of the initial handshake packet for a >>>> few things. Would it be possible to snatch the protocol version >>>> from there and report it in the log file? > >>> Manish> is this available into some log file today > >> No. > >>> and this be added into some future release. > >> I was asking about the feasibility of adding it in the future. >> Mark knows the code very well and is in a good position to comment. >> The data should be available, but we might need to do some work to >> get it into the right place so it makes it into the access log itself >> (since there is no actual "request" in this case). > >>>> The cipher suite of course is never going to exist because there >>>> was no overlap between the client and the server, but the protocol >>>> always has a single value for a handshake attempt. > >>> Manish> What happens in case connection is in TLSv1.2 but with >>> unsupported cipher, will this information show up? >> Theoretically, you could get a report of "TLSv1.2" for the protocol, >> but the cipher suite would say "-" (or similar). > >>> Our requirement is to audit all the connection to the server >>> [successful and failed both] and in case of failure, reason for >>> failure. >> You will never truly be able to know the reason for every failure. >> That requirement is impossible to meet. > >> -chris > >>> -----Original Message----- From: Christopher Schultz >>> <ch...@christopherschultz.net> Sent: Wednesday, January 29, >>> 2020 9:32 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: >>> logs for failure request with unsupported cipher and unsupported SSL >>> protocol > >>> CAUTION: External email. Do not click links or open attachments >>> unless you recognize the sender and know the content is safe. > >>> Mark, > >>> On 1/29/20 7:56 AM, Mark Thomas wrote: >>>> On 29/01/2020 12:40, Palod, Manish wrote: >>>>> Hi All, >>>>> >>>>> >>>>> I am using tomcat 7 and in our server we support connection only >>>>> with "TLSv1.2" and cipher "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". >>>>> >>>>> >>>>> >>>>> Following is the Access valve pattern "%{E M/d/y @ hh:mm:ss.S a >>>>> z}t %a (%{X-Forwarded-For}i) > %A:%p "%r" >>>>> %{requestBodyLength}r %D %s %B %I "%{Referer}i" >>>>> "%{User-Agent}i" %u %{username}s %{sessionTracker}s with >>>>> TLS protocol >>>>> %{org.apache.tomcat.util.net.secure_protocol_version}r and Cipher >>>>> %{javax.servlet.request.cipher_suite}r" >>>>> >>>>> >>>>> >>>>> and we are able to see following logs for successful >>>>> connection: >>>>> >>>>> >>>>> >>>>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) > >>>>> <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66, >>>>> "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0 (Windows >>>>> NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) >>>>> Chrome/79.0.3945.130 Safari/537.36" - - - with TLS protocol >>>>> TLSv1.2 and Cipher >>>>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>>>> >>>>> >>>>> But in case when request is made with ex. SSLv3, TLSv1 or >>>>> unsupported ciphers, Server is rejecting the request but no audit >>>>> message is coming into the access logs. >>>>> >>>>> How can I get details about these requests with unsupported >>>>> ciphers and unsupported SSL protocols? > >>>> From Tomcat, you can't. > >>>> If you upgrade to 8.5.x onwards you will get a 400 in the access >>>> logs. You won't get the protocol or cipher information since that >>>> requires a successful TLS connection before it is populated. > >>> IIRC, we are parsing a little of the initial handshake packet for a >>> few things. Would it be possible to snatch the protocol version from >>> there and report it in the log file? The cipher suite of course is >>> never going to exist because there was no overlap between the client >>> and the server, but the protocol always has a single value for a >>> handshake attempt. > >>> -chris > >>> -------------------------------------------------------------------- - - > >>> >>> > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org > > >>> -------------------------------------------------------------------- - - > >>> >>> > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org > > >> --------------------------------------------------------------------- > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > >> --------------------------------------------------------------------- > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl44J9EACgkQHPApP6U8 pFjx0RAAuJq3UIEhPA6QWjPC2afKGoHEPCyUQj/GYKz7RrHRzAG0gcziQpp/RChY MYxs/rbAoEWp0IV3hYrU0S5jH0TeLIq0vgSY+ktYTjFE91p3GYvbZp+/JWfKu6TA 57L+5bmYn9mABhC7flQu4E3Morb9rqBAXym7XcHFKY3+/t1JwoVNnFG4+EyRI5tr JerJqHFb5ofAPvYQv7VTwLfcx+YzU8PxW4eCl+Wcxsuju/FgeuyyjNMMuYvEf428 txIgO48egCYOA3PD271kMiIsSCXyYMsfAVmQG80iHt49kfc0hxpsNejg4PtX6I5+ 6Swpnw8yS/Ituj0dZQk30wvbtJiNhhi4TWXYQ5O7aOTpXR3qNW0MiXNu0HLesk76 dMlf93tGzgcLeFc/aRXB48aFK4cDsoms1sE7HM+zJnWdqLNGTSden9xVVeq3HIoa uHfsRDUa+2NKmocJ2aFfFdmWTqbuxO8Wr7TvpxQtTOI9aw9szshhB8QyQvq1ImGb Nmns0q58G2uJDPO96r9PB1AYryJNCZXCjyOGKhu2z67AsuT6QeR7o3RwSYa3tvgN U+LoQsGUspm1387rfprrQoVfH69I4eP+hgW/LEiUqMEM13MIeByKx1s3D4HdgbDC YT7ul7kWZyOGcBzGkkA7C+jqBxqhTRGFoVGrAs9lkJ1JUqtsGnM= =O6XP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
