-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Manish,
On 1/30/20 3:12 AM, Palod, Manish wrote:
> Thanks Mark and Chris for providing the info.
>
>> IIRC, we are parsing a little of the initial handshake packet for
>> a few things. Would it be possible to snatch the protocol
>> version from there and report it in the log file?
>
> Manish> is this available into some log file today
No.
> and this be added into some future release.
I was asking about the feasibility of adding it in the future. Mark
knows the code very well and is in a good position to comment. The
data should be available, but we might need to do some work to get it
into the right place so it makes it into the access log itself (since
there is no actual "request" in this case).
>> The cipher suite of course is never going to exist because there
>> was no overlap between the client and the server, but the
>> protocol always has a single value for a handshake attempt.
>
> Manish> What happens in case connection is in TLSv1.2 but with
> unsupported cipher, will this information show up?
Theoretically, you could get a report of "TLSv1.2" for the protocol,
but the cipher suite would say "-" (or similar).
> Our requirement is to audit all the connection to the server
> [successful and failed both] and in case of failure, reason for
> failure.
You will never truly be able to know the reason for every failure.
That requirement is impossible to meet.
- -chris
> -----Original Message----- From: Christopher Schultz
> <ch...@christopherschultz.net> Sent: Wednesday, January 29, 2020
> 9:32 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for
> failure request with unsupported cipher and unsupported SSL
> protocol
>
> CAUTION: External email. Do not click links or open attachments
> unless you recognize the sender and know the content is safe.
>
> Mark,
>
> On 1/29/20 7:56 AM, Mark Thomas wrote:
>> On 29/01/2020 12:40, Palod, Manish wrote:
>>> Hi All,
>>>
>>>
>>> I am using tomcat 7 and in our server we support connection
>>> only with "TLSv1.2" and cipher
>>> "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
>>>
>>>
>>>
>>> Following is the Access valve pattern "%{E M/d/y @ hh:mm:ss.S a
>>> z}t %a (%{X-Forwarded-For}i) > %A:%p "%r"
>>> %{requestBodyLength}r %D %s %B %I "%{Referer}i"
>>> "%{User-Agent}i" %u %{username}s %{sessionTracker}s
>>> with TLS protocol
>>> %{org.apache.tomcat.util.net.secure_protocol_version}r and
>>> Cipher %{javax.servlet.request.cipher_suite}r"
>>>
>>>
>>>
>>> and we are able to see following logs for successful
>>> connection:
>>>
>>>
>>>
>>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) >
>>> <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66,
>>> "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0
>>> (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
>>> Gecko) Chrome/79.0.3945.130 Safari/537.36" - - - with TLS
>>> protocol TLSv1.2 and Cipher
>>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>
>>>
>>> But in case when request is made with ex. SSLv3, TLSv1 or
>>> unsupported ciphers, Server is rejecting the request but no
>>> audit message is coming into the access logs.
>>>
>>> How can I get details about these requests with unsupported
>>> ciphers and unsupported SSL protocols?
>
>> From Tomcat, you can't.
>
>> If you upgrade to 8.5.x onwards you will get a 400 in the access
>> logs. You won't get the protocol or cipher information since that
>> requires a successful TLS connection before it is populated.
>
> IIRC, we are parsing a little of the initial handshake packet for a
> few things. Would it be possible to snatch the protocol version
> from there and report it in the log file? The cipher suite of
> course is never going to exist because there was no overlap between
> the client and the server, but the protocol always has a single
> value for a handshake attempt.
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl40csMACgkQHPApP6U8
pFjnEQ/+OB4kuNwaVzkqGmfahdI1LZsqdvqQjBamVTKcQJu2o4SkjvBjhILvOK8T
PcQ2kv00KIdt62DH70557j+g6PQvNbK9hXnOYSIF7grz09TVrbzRZyntw3Uvre/6
rxsGX0z/4jVxyoAUl9tGV5jNY0dOCEq0P8hiR4gzyiEwPUgCJv2mpR1yQPiXUJ/x
+zcKy1bq1nLJDL6mRrxE8N4vkCAiwSQGra4Q6Zjse5OTSE8a6V3ZPZ3EAsQ0p3rZ
2ltVntHnMFiYaMeun3t/OzpdNCbTWQJKzMbZRUzudUdP78RYqmvCNgl50s2GWAka
DBhhW1lwJW9owrPwHf8n0RD8tBgM9D9fl+SRftVAM9CSfryRYEk7uzOtMcBYPdRN
tA4B6EgDukNHB58CFzc26M+vg14pypdowbTW+uHYkO0CletfQ1IVxmaYuLLhldLX
EiDHg4aqYj9ahaWMGLaKz69816hMCeAbHeaWLpGJao/A5DHfa6OtQ/IAoIoK35Sm
OPuKY13VfCBCBjqdund4QSVARYcXWlfxq5RIcO5zkVY/CySpBxSmhsi7E+ZpmsFd
SlAO9/umF9VzpVN74pSZoGk/xTvoJJeVtxYEbdElLwPT7IgqThEmP956yD7StVpp
7lTDHmZS7lIlUP6IRvKNC1iI2thU+aFsNCzGnSZiVfhIq5O0q3I=
=G4Rv
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
