Thanks Chris for considering this for future release. In future will the fix be ported into Tomcat 7 also?
Regards Manish -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Saturday, February 1, 2020 9:54 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for failure request with unsupported cipher and unsupported SSL protocol -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Manish, On 1/31/20 8:01 PM, Palod, Manish wrote: > I will look forward for future release with enhanced info about > connection. https://bz.apache.org/bugzilla/show_bug.cgi?id=64110 Patches are always welcome. - -chris > -----Original Message----- From: Christopher Schultz > <ch...@christopherschultz.net> Sent: Saturday, February 1, 2020 > 12:03 AM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for > failure request with unsupported cipher and unsupported SSL protocol > > Manish, > > On 1/30/20 3:12 AM, Palod, Manish wrote: >> Thanks Mark and Chris for providing the info. > >>> IIRC, we are parsing a little of the initial handshake packet for a >>> few things. Would it be possible to snatch the protocol version from >>> there and report it in the log file? > >> Manish> is this available into some log file today > > No. > >> and this be added into some future release. > > I was asking about the feasibility of adding it in the future. Mark > knows the code very well and is in a good position to comment. The > data should be available, but we might need to do some work to get it > into the right place so it makes it into the access log itself (since > there is no actual "request" in this case). > >>> The cipher suite of course is never going to exist because there was >>> no overlap between the client and the server, but the protocol >>> always has a single value for a handshake attempt. > >> Manish> What happens in case connection is in TLSv1.2 but with >> unsupported cipher, will this information show up? > Theoretically, you could get a report of "TLSv1.2" for the protocol, > but the cipher suite would say "-" (or similar). > >> Our requirement is to audit all the connection to the server >> [successful and failed both] and in case of failure, reason for >> failure. > You will never truly be able to know the reason for every failure. > That requirement is impossible to meet. > > -chris > >> -----Original Message----- From: Christopher Schultz >> <ch...@christopherschultz.net> Sent: Wednesday, January 29, 2020 >> 9:32 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for >> failure request with unsupported cipher and unsupported SSL protocol > >> CAUTION: External email. Do not click links or open attachments >> unless you recognize the sender and know the content is safe. > >> Mark, > >> On 1/29/20 7:56 AM, Mark Thomas wrote: >>> On 29/01/2020 12:40, Palod, Manish wrote: >>>> Hi All, >>>> >>>> >>>> I am using tomcat 7 and in our server we support connection only >>>> with "TLSv1.2" and cipher "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". >>>> >>>> >>>> >>>> Following is the Access valve pattern "%{E M/d/y @ hh:mm:ss.S a z}t >>>> %a (%{X-Forwarded-For}i) > %A:%p "%r" >>>> %{requestBodyLength}r %D %s %B %I "%{Referer}i" >>>> "%{User-Agent}i" %u %{username}s %{sessionTracker}s with >>>> TLS protocol %{org.apache.tomcat.util.net.secure_protocol_version}r >>>> and Cipher %{javax.servlet.request.cipher_suite}r" >>>> >>>> >>>> >>>> and we are able to see following logs for successful >>>> connection: >>>> >>>> >>>> >>>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) > >>>> <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66, >>>> "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0 (Windows >>>> NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) >>>> Chrome/79.0.3945.130 Safari/537.36" - - - with TLS protocol TLSv1.2 >>>> and Cipher >>>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>>> >>>> >>>> But in case when request is made with ex. SSLv3, TLSv1 or >>>> unsupported ciphers, Server is rejecting the request but no audit >>>> message is coming into the access logs. >>>> >>>> How can I get details about these requests with unsupported ciphers >>>> and unsupported SSL protocols? > >>> From Tomcat, you can't. > >>> If you upgrade to 8.5.x onwards you will get a 400 in the access >>> logs. You won't get the protocol or cipher information since that >>> requires a successful TLS connection before it is populated. > >> IIRC, we are parsing a little of the initial handshake packet for a >> few things. Would it be possible to snatch the protocol version from >> there and report it in the log file? The cipher suite of course is >> never going to exist because there was no overlap between the client >> and the server, but the protocol always has a single value for a >> handshake attempt. > >> -chris > >> --------------------------------------------------------------------- > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > >> --------------------------------------------------------------------- > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl41piQACgkQHPApP6U8 pFhlfA//d1/R1xucnGwyDKTU6B61Jk4VD5+NasK6W3LuUUOHpgVnnubKhQ62AEdY GGcYickmCzC3a+Ly2zbGirBDhvMLKq/Nr63y25xN8xt+OfiArdpR2LT1s4ZLLCaB xz2Xe3zt0eHhtf5Wulmbg9fPYhTUuKSKCldNX2iOYnoCuWkj4EoMsaf41F9nDriS M2TLXR0UqgDYgzk9YsGKVGJi6LsAmdUvM5M8CPHfHCFFCdloORnBxLl3G0YAm4KP QZNIwvMNZuy6EbOAwqk8pRwZ8sxpEcc2SZswTD6PPhPNtZA0/IFUSNBnYwUuJvIz XQtQckzO5iFKJlA1s8lZi+YWMJNYKJshoGVaXxhHSHKUysyfxZEkLwXtq024aQhP E/9ZIMLGa9LxBxS641yfHtHbaf3+1od/0Y5i5hcjxrUTqrbbfJiv8UMJYd0foRNY 7syJtuDQBcyJt76jJNcTE3xb2/xzQnlf/oIIKkDMLiQJl530A1BoQaqppVa/x/eb eQ8NvLZ1hAiBN7k8/7J6By6JY7+XQCKyMcPJTvxyl4bWfochkEJVNJD8iVYvFDMW UsjAcfOCnYhanYD4WVMAiaFDmVil4G4ZP//C2uNTxw/no4nZa//7xOowi+401TCi hzwRZIEa7TChDWNUKgUag/4KxOxES0zIV9R27BtCsZ6So7La6m4= =WFWz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org