[users@httpd] logging SSL handshake failures

Fri, 19 Jun 2020 07:46:17 -0700 

Hi all,

I'm running Apache 2.4.25 on Debian 9 and trying to debug SSL.
Even with LogLevel set to trace8 error.log doesn't produce exhaustive details when I e.g. try to connect using older unsupported protocol: 

openssl s_client -connect www.mysite.com:443 -tls1
[Fri Jun 19 16:15:54.339546 2020] [ssl:info] [pid 11437] [client 192.168.10.196:46016] AH01964: Connection to child 2 established (server www.mysite.com:443) [Fri Jun 19 16:15:54.339631 2020] [ssl:trace2] [pid 11437] ssl_engine_rand.c(126): Seeding PRNG with 656 bytes of entropy [Fri Jun 19 16:15:54.339705 2020] [ssl:trace3] [pid 11437] ssl_engine_kernel.c(1989): [client 192.168.10.196:46016] OpenSSL: Handshake: start [Fri Jun 19 16:15:54.339721 2020] [ssl:trace3] [pid 11437] ssl_engine_kernel.c(1998): [client 192.168.10.196:46016] OpenSSL: Loop: before/accept initialization [Fri Jun 19 16:15:54.339737 2020] [ssl:trace4] [pid 11437] ssl_engine_io.c(2135): [client 192.168.10.196:46016] OpenSSL: read 11/11 bytes from BIO#5641ea41b3e0 [mem: 5641ea420a40] (BIO dump follows) [Fri Jun 19 16:15:54.339740 2020] [ssl:trace7] [pid 11437] ssl_engine_io.c(2064): +-------------------------------------------------------------------------+ [Fri Jun 19 16:15:54.339744 2020] [ssl:trace7] [pid 11437] ssl_engine_io.c(2102): | 0000: 16 03 01 00 81 01 00 00-7d 03 01                 ........}..      | [Fri Jun 19 16:15:54.339745 2020] [ssl:trace7] [pid 11437] ssl_engine_io.c(2108): +-------------------------------------------------------------------------+ [Fri Jun 19 16:15:54.339747 2020] [ssl:trace3] [pid 11437] ssl_engine_kernel.c(2027): [client 192.168.10.196:46016] OpenSSL: Exit: error in SSLv2/v3 read client hello A [Fri Jun 19 16:15:54.339751 2020] [ssl:info] [pid 11437] [client 192.168.10.196:46016] AH02008: SSL library error 1 in handshake (server www.mysite.com:443) [Fri Jun 19 16:15:54.339775 2020] [ssl:info] [pid 11437] SSL Library Error: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol [Fri Jun 19 16:15:54.339779 2020] [ssl:info] [pid 11437] [client 192.168.10.196:46016] AH01998: Connection closed to child 2 with abortive shutdown (server www.mysite.com:443) 

It doesn't say e.g. which protocol was attempted, URL, agent etc.

This type of info doesn't seem possible here according to:

http://httpd.apache.org/docs/trunk/mod/core.html#errorlogformat

Therefore I've attempted the following:

/etc/apache2/mods-available/ssl.conf

<IfModule mod_ssl.c>
(...)
        ErrorLog /var/log/apache2/ssl_error.log
        LogLevel trace8
(...)
</IfModule>
But nothing is being logged to this file when I make various invalid SSL requests to the server. 

All I get is:
[Fri Jun 19 16:39:12.156511 2020] [core:notice] [pid 11679] AH00094: Command line: '/usr/sbin/apache2' [Fri Jun 19 16:39:12.156514 2020] [core:debug] [pid 11679] log.c(1546): AH02639: Using SO_REUSEPORT: yes (1) [Fri Jun 19 16:39:12.156521 2020] [mpm_prefork:debug] [pid 11679] prefork.c(1032): AH00165: Accept mutex: fcntl (default: sysvsem) [Fri Jun 19 16:39:12.156615 2020] [watchdog:debug] [pid 11686] mod_watchdog.c(563): AH02980: Watchdog: nothing configured? 

with the last message being repeated.

Is it a false positive?

apache2ctl -M | grep watchdog
[Fri Jun 19 16:42:05.186631 2020] [core:trace3] [pid 11707] core.c(3289): Setting LogLevel for all modules to trace8 [Fri Jun 19 16:42:05.186778 2020] [core:trace3] [pid 11707] core.c(3289): Setting LogLevel for all modules to trace8 
 watchdog_module (static)

How can I log details of SSL handshake failures?

Thanks,
Adam



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to