You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/06/17 07:05:27 UTC
[Bug 64531] New: mod_ssl doesn't log client IP although it would be
available many times
https://bz.apache.org/bugzilla/show_bug.cgi?id=64531
Bug ID: 64531
Summary: mod_ssl doesn't log client IP although it would be
available many times
Product: Apache httpd-2
Version: 2.4.43
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: dominik.stillhard@united-security-providers.ch
Target Milestone: ---
mod_ssl uses the function ssl_log_ssl_error (ssl_engine_log.c:86) to log
library errors. This function does call ap_log_error.
My proposal would be to write a method ssl_log_ssl_cerror, which calls
ap_log_cerror. This function would be called whenever a conn_rec is available
instead of ssl_log_ssl_error. The advantage is that like this, we can see a
client ip address in the logs, while with ap_log_error we can't. Its ok to use
ap_log_error for configuration and initialization stuff, but for all connection
related errors we should go for ap_log_cerror.
for example this two log lines are from one failed connection attempt, but the
second line doesn't show an ip address:
Thu May 28 11:55:04 2020 [client({c}a)=fc00::cafe:39298]
[client(a)=fc00::cafe:39298] [msg="AH01996: SSL handshake failed: HTTP spoken
on HTTPS port; trying to send HTML error page"]
Thu May 28 11:55:04 2020 [client({c}a)=-] [client(a)=-] [msg="SSL Library
Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request --
speaking HTTP to HTTPS port!?"]
I think this would bring a lot of advantages (the client ip is otfen used to
correlate requests, for example by an external program that parses apache logs)
for quite small effort..
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64531] mod_ssl doesn't log client IP although it would be
available many times
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64531
Dominik Stillhard <do...@united-security-providers.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dominik.stillhard@united-se
| |curity-providers.ch
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org