Thanks Mark and Chris for providing the info.
IIRC, we are parsing a little of the initial handshake packet for a few things.
Would it be possible to snatch the protocol version from there and report it in
the log file?
Manish> is this available into some log file today and this be added into some
future release.
The cipher suite of course is never going to exist because there was no overlap
between the client and the server, but the protocol always has a single value
for a handshake attempt.
Manish> What happens in case connection is in TLSv1.2 but with unsupported
cipher, will this information show up?
Our requirement is to audit all the connection to the server [successful and
failed both] and in case of failure, reason for failure.
Regards
Manish
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Wednesday, January 29, 2020 9:32 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat 7: logs for failure request with unsupported cipher and
unsupported SSL protocol
CAUTION: External email. Do not click links or open attachments unless you
recognize the sender and know the content is safe.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 1/29/20 7:56 AM, Mark Thomas wrote:
> On 29/01/2020 12:40, Palod, Manish wrote:
>> Hi All,
>>
>>
>> I am using tomcat 7 and in our server we support connection only with
>> "TLSv1.2" and cipher "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
>>
>>
>>
>> Following is the Access valve pattern "%{E M/d/y @ hh:mm:ss.S a z}t
>> %a (%{X-Forwarded-For}i) > %A:%p "%r" %{requestBodyLength}r
>> %D %s %B %I "%{Referer}i" "%{User-Agent}i" %u
>> %{username}s %{sessionTracker}s with TLS protocol
>> %{org.apache.tomcat.util.net.secure_protocol_version}r and Cipher
>> %{javax.servlet.request.cipher_suite}r"
>>
>>
>>
>> and we are able to see following logs for successful connection:
>>
>>
>>
>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) >
>> <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66,
>> "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0 (Windows NT
>> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
>> Chrome/79.0.3945.130 Safari/537.36" - - - with TLS protocol
>> TLSv1.2 and Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>
>>
>> But in case when request is made with ex. SSLv3, TLSv1 or unsupported
>> ciphers, Server is rejecting the request but no audit message is
>> coming into the access logs.
>>
>> How can I get details about these requests with unsupported ciphers
>> and unsupported SSL protocols?
>
> From Tomcat, you can't.
>
> If you upgrade to 8.5.x onwards you will get a 400 in the access logs.
> You won't get the protocol or cipher information since that requires a
> successful TLS connection before it is populated.
IIRC, we are parsing a little of the initial handshake packet for a few things.
Would it be possible to snatch the protocol version from there and report it in
the log file? The cipher suite of course is never going to exist because there
was no overlap between the client and the server, but the protocol always has a
single value for a handshake attempt.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4xrIsACgkQHPApP6U8
pFgkNA/9FGRMi+DAxJVw8053fak0zPLbNsEHEdWmdtFI3NXIWpS8weMTEN2/RMM+
BA9pbkLvEk25+d8cWiCSIJWuhkB6chftwCdddKnFeIwhSgPl3hCG1qY3ruDEUj2y
/RpWObYXvQ+pbZoRGCHaTKg1pYL5ZJBvQMU+1qzivU0HViHbYa4PA2+NpNODmFgv
gVKuT/1UTH9rtTiDaBkAewJ+s9/wC2csQefZieIqP0WTnhC+ou26844WU1K+1uaV
i6S2YiMb7jP8dXD6QSUdbcFFmbC9ELIIXKp3b7X2nnSW6O4YWk8TYVAFLA9lhqvL
IKr6UtxfSLa+8CBrSdxYEdpT5tBcWtyERKyMuIlj/p2P445CfXkpR4Y4quTqULUZ
os7sR5AI20U9jsKhweDyBX6a8HxpGM+iAl+/GdUkMguflZSl1VNVfk1RcMNo2dCM
XqdIPSiqQBCIC1g/x6xKyU/g2J6NBtwCHuFzbYHxAP89zI1t5WZpyaM6eoB1G/wO
sFLHWgNzXAT3wCye+5c2g4S5QR/79HpOi1hnHduUymxI+Eax8jwE4Wa/XfubPICz
YXoT1fOcloWuFViRZi8qqviECzBEmw/RaJNGVK9yNf6E38N7ukJlWpn1fJi2rBh6
/Ztl6OijnH+25X8rFMPIbpdY04E3hQlw6Gqc7b+EBd6M8+hd1ZM=
=gYme
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
