You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/06/17 07:05:27 UTC

[Bug 64531] New: mod_ssl doesn't log client IP although it would be available many times

https://bz.apache.org/bugzilla/show_bug.cgi?id=64531

            Bug ID: 64531
           Summary: mod_ssl doesn't log client IP although it would be
                    available many times
           Product: Apache httpd-2
           Version: 2.4.43
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: dominik.stillhard@united-security-providers.ch
  Target Milestone: ---

mod_ssl uses the function ssl_log_ssl_error (ssl_engine_log.c:86) to log
library errors. This function does call ap_log_error. 
My proposal would be to write a method ssl_log_ssl_cerror, which calls
ap_log_cerror. This function would be called whenever a conn_rec is available
instead of ssl_log_ssl_error. The advantage is that like this, we can see a
client ip address in the logs, while with ap_log_error we can't. Its ok to use
ap_log_error for configuration and initialization stuff, but for all connection
related errors we should go for ap_log_cerror.

for example this two log lines are from one failed connection attempt, but the
second line doesn't show an ip address:

   Thu May 28 11:55:04 2020 [client({c}a)=fc00::cafe:39298]
[client(a)=fc00::cafe:39298] [msg="AH01996: SSL handshake failed: HTTP spoken
on HTTPS port; trying to send HTML error page"] 


   Thu May 28 11:55:04 2020 [client({c}a)=-] [client(a)=-] [msg="SSL Library
Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request --
speaking HTTP to HTTPS port!?"]

I think this would bring a lot of advantages (the client ip is otfen used to
correlate requests, for example by an external program that parses apache logs)
for quite small effort..

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64531] mod_ssl doesn't log client IP although it would be available many times

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64531

Dominik Stillhard <do...@united-security-providers.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dominik.stillhard@united-se
                   |                            |curity-providers.ch

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org