Re: Tomcat 7: logs for failure request with unsupported cipher and unsupported SSL protocol

Wed, 29 Jan 2020 08:32:58 -0800 

On 29/01/2020 16:02, Christopher Schultz wrote:
> Mark,
> 
> On 1/29/20 7:56 AM, Mark Thomas wrote:
>> On 29/01/2020 12:40, Palod, Manish wrote:
>>> Hi All,
>>>
>>>
>>> I am using tomcat 7 and in our server we support connection only
>>> with "TLSv1.2" and cipher
>>> "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
>>>
>>>
>>>
>>> Following is the Access valve pattern "%{E M/d/y @ hh:mm:ss.S a
>>> z}t %a (%{X-Forwarded-For}i) > %A:%p "%r"
>>> %{requestBodyLength}r %D %s %B %I "%{Referer}i" 
>>> "%{User-Agent}i" %u %{username}s %{sessionTracker}s
>>> with TLS protocol
>>> %{org.apache.tomcat.util.net.secure_protocol_version}r and Cipher
>>> %{javax.servlet.request.cipher_suite}r"
>>>
>>>
>>>
>>> and we are able to see following logs for successful connection:
>>>
>>>
>>>
>>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) >
>>> <Server-IP>:443  "GET /favicon.ico HTTP/1.1" - 1 404 66,
>>> "https://xx.xx.xx.xx/ /html/popCheck.html"  "Mozilla/5.0 (Windows
>>> NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
>>> Chrome/79.0.3945.130 Safari/537.36" - - - with TLS protocol
>>> TLSv1.2 and Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>
>>>
>>> But in case when request is made with ex. SSLv3, TLSv1 or
>>> unsupported ciphers, Server is rejecting the request but no audit
>>> message is coming into the access logs.
>>>
>>> How can I get details about these requests with unsupported
>>> ciphers and unsupported SSL protocols?
> 
>> From Tomcat, you can't.
> 
>> If you upgrade to 8.5.x onwards you will get a 400 in the access
>> logs. You won't get the protocol or cipher information since that
>> requires a successful TLS connection before it is populated.
> 
> IIRC, we are parsing a little of the initial handshake packet for a
> few things. Would it be possible to snatch the protocol version from
> there and report it in the log file? The cipher suite of course is
> never going to exist because there was no overlap between the client
> and the server, but the protocol always has a single value for a
> handshake attempt.

Potentially. I haven't looked at how easy it would be to insert the
protocol in the right place so the access log valve picks it up.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to