You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2020/01/29 12:56:42 UTC
Re: Tomcat 7: logs for failure request with unsupported cipher and
unsupported SSL protocol
On 29/01/2020 12:40, Palod, Manish wrote:
> Hi All,
>
>
> I am using tomcat 7 and in our server we support connection only with "TLSv1.2" and cipher "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
>
>
>
> Following is the Access valve pattern
> "%{E M/d/y @ hh:mm:ss.S a z}t %a (%{X-Forwarded-For}i) > %A:%p
> "%r" %{requestBodyLength}r %D %s %B %I "%{Referer}i"
> "%{User-Agent}i" %u %{username}s %{sessionTracker}s with TLS protocol %{org.apache.tomcat.util.net.secure_protocol_version}r and Cipher %{javax.servlet.request.cipher_suite}r"
>
>
>
> and we are able to see following logs for successful connection:
>
>
>
> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) > <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66, "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36" - - - with TLS protocol TLSv1.2 and Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>
>
> But in case when request is made with ex. SSLv3, TLSv1 or unsupported ciphers, Server is rejecting the request but no audit message is coming into the access logs.
>
> How can I get details about these requests with unsupported ciphers and unsupported SSL protocols?
From Tomcat, you can't.
If you upgrade to 8.5.x onwards you will get a 400 in the access logs.
You won't get the protocol or cipher information since that requires a
successful TLS connection before it is populated.
You could enabled TLS handshake debugging at the JRE level but that will
probably generate far more data than you want.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 7: logs for failure request with unsupported cipher and
unsupported SSL protocol
Posted by "Palod, Manish" <Ma...@McAfee.com>.
Hi Chris,
I am trying to debug the source code to find out the place where I will have to make changes to receive cipher and protocol in case of failures
Not too much success.
I have narrowed upto few potential classes [may be right direction]
org/apache/tomcat/util/net/JIoEndpoint.java
org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
org/apache/tomcat/util/threads/TaskThread.java
if you can help me pointing out the classes where I will have to change the code, I will debug and work on them.
Regards
Manish
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Monday, February 3, 2020 7:32 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat 7: logs for failure request with unsupported cipher and unsupported SSL protocol
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Manish,
On 2/2/20 11:20 PM, Palod, Manish wrote:
> Thanks Chris for considering this for future release.
>
> In future will the fix be ported into Tomcat 7 also?
Let's see if anyone wants to implement this in trunk, first. If you want to prepare some patches/PRs, it's much more likely to go the way you hope.
- -chris
> -----Original Message----- From: Christopher Schultz
> <ch...@christopherschultz.net> Sent: Saturday, February 1, 2020
> 9:54 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for
> failure request with unsupported cipher and unsupported SSL protocol
>
> Manish,
>
> On 1/31/20 8:01 PM, Palod, Manish wrote:
>> I will look forward for future release with enhanced info about
>> connection.
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=64110
>
> Patches are always welcome.
>
> -chris
>
>> -----Original Message----- From: Christopher Schultz
>> <ch...@christopherschultz.net> Sent: Saturday, February 1, 2020
>> 12:03 AM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for
>> failure request with unsupported cipher and unsupported SSL protocol
>
>> Manish,
>
>> On 1/30/20 3:12 AM, Palod, Manish wrote:
>>> Thanks Mark and Chris for providing the info.
>
>>>> IIRC, we are parsing a little of the initial handshake packet for a
>>>> few things. Would it be possible to snatch the protocol version
>>>> from there and report it in the log file?
>
>>> Manish> is this available into some log file today
>
>> No.
>
>>> and this be added into some future release.
>
>> I was asking about the feasibility of adding it in the future.
>> Mark knows the code very well and is in a good position to comment.
>> The data should be available, but we might need to do some work to
>> get it into the right place so it makes it into the access log itself
>> (since there is no actual "request" in this case).
>
>>>> The cipher suite of course is never going to exist because there
>>>> was no overlap between the client and the server, but the protocol
>>>> always has a single value for a handshake attempt.
>
>>> Manish> What happens in case connection is in TLSv1.2 but with
>>> unsupported cipher, will this information show up?
>> Theoretically, you could get a report of "TLSv1.2" for the protocol,
>> but the cipher suite would say "-" (or similar).
>
>>> Our requirement is to audit all the connection to the server
>>> [successful and failed both] and in case of failure, reason for
>>> failure.
>> You will never truly be able to know the reason for every failure.
>> That requirement is impossible to meet.
>
>> -chris
>
>>> -----Original Message----- From: Christopher Schultz
>>> <ch...@christopherschultz.net> Sent: Wednesday, January 29,
>>> 2020 9:32 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7:
>>> logs for failure request with unsupported cipher and unsupported SSL
>>> protocol
>
>>> CAUTION: External email. Do not click links or open attachments
>>> unless you recognize the sender and know the content is safe.
>
>>> Mark,
>
>>> On 1/29/20 7:56 AM, Mark Thomas wrote:
>>>> On 29/01/2020 12:40, Palod, Manish wrote:
>>>>> Hi All,
>>>>>
>>>>>
>>>>> I am using tomcat 7 and in our server we support connection only
>>>>> with "TLSv1.2" and cipher "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
>>>>>
>>>>>
>>>>>
>>>>> Following is the Access valve pattern "%{E M/d/y @ hh:mm:ss.S a
>>>>> z}t %a (%{X-Forwarded-For}i) > %A:%p "%r"
>>>>> %{requestBodyLength}r %D %s %B %I "%{Referer}i"
>>>>> "%{User-Agent}i" %u %{username}s %{sessionTracker}s with
>>>>> TLS protocol
>>>>> %{org.apache.tomcat.util.net.secure_protocol_version}r and Cipher
>>>>> %{javax.servlet.request.cipher_suite}r"
>>>>>
>>>>>
>>>>>
>>>>> and we are able to see following logs for successful
>>>>> connection:
>>>>>
>>>>>
>>>>>
>>>>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) >
>>>>> <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66,
>>>>> "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0 (Windows
>>>>> NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
>>>>> Chrome/79.0.3945.130 Safari/537.36" - - - with TLS protocol
>>>>> TLSv1.2 and Cipher
>>>>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>>>
>>>>>
>>>>> But in case when request is made with ex. SSLv3, TLSv1 or
>>>>> unsupported ciphers, Server is rejecting the request but no audit
>>>>> message is coming into the access logs.
>>>>>
>>>>> How can I get details about these requests with unsupported
>>>>> ciphers and unsupported SSL protocols?
>
>>>> From Tomcat, you can't.
>
>>>> If you upgrade to 8.5.x onwards you will get a 400 in the access
>>>> logs. You won't get the protocol or cipher information since that
>>>> requires a successful TLS connection before it is populated.
>
>>> IIRC, we are parsing a little of the initial handshake packet for a
>>> few things. Would it be possible to snatch the protocol version from
>>> there and report it in the log file? The cipher suite of course is
>>> never going to exist because there was no overlap between the client
>>> and the server, but the protocol always has a single value for a
>>> handshake attempt.
>
>>> -chris
>
>>> --------------------------------------------------------------------
- -
>
>>>
>>>
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>>> --------------------------------------------------------------------
- -
>
>>>
>>>
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>> ---------------------------------------------------------------------
>
>>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>> ---------------------------------------------------------------------
>
>>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl44J9EACgkQHPApP6U8
pFjx0RAAuJq3UIEhPA6QWjPC2afKGoHEPCyUQj/GYKz7RrHRzAG0gcziQpp/RChY
MYxs/rbAoEWp0IV3hYrU0S5jH0TeLIq0vgSY+ktYTjFE91p3GYvbZp+/JWfKu6TA
57L+5bmYn9mABhC7flQu4E3Morb9rqBAXym7XcHFKY3+/t1JwoVNnFG4+EyRI5tr
JerJqHFb5ofAPvYQv7VTwLfcx+YzU8PxW4eCl+Wcxsuju/FgeuyyjNMMuYvEf428
txIgO48egCYOA3PD271kMiIsSCXyYMsfAVmQG80iHt49kfc0hxpsNejg4PtX6I5+
6Swpnw8yS/Ituj0dZQk30wvbtJiNhhi4TWXYQ5O7aOTpXR3qNW0MiXNu0HLesk76
dMlf93tGzgcLeFc/aRXB48aFK4cDsoms1sE7HM+zJnWdqLNGTSden9xVVeq3HIoa
uHfsRDUa+2NKmocJ2aFfFdmWTqbuxO8Wr7TvpxQtTOI9aw9szshhB8QyQvq1ImGb
Nmns0q58G2uJDPO96r9PB1AYryJNCZXCjyOGKhu2z67AsuT6QeR7o3RwSYa3tvgN
U+LoQsGUspm1387rfprrQoVfH69I4eP+hgW/LEiUqMEM13MIeByKx1s3D4HdgbDC
YT7ul7kWZyOGcBzGkkA7C+jqBxqhTRGFoVGrAs9lkJ1JUqtsGnM=
=O6XP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7: logs for failure request with unsupported cipher and
unsupported SSL protocol
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Manish,
On 2/2/20 11:20 PM, Palod, Manish wrote:
> Thanks Chris for considering this for future release.
>
> In future will the fix be ported into Tomcat 7 also?
Let's see if anyone wants to implement this in trunk, first. If you
want to prepare some patches/PRs, it's much more likely to go the way
you hope.
- -chris
> -----Original Message----- From: Christopher Schultz
> <ch...@christopherschultz.net> Sent: Saturday, February 1, 2020
> 9:54 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for
> failure request with unsupported cipher and unsupported SSL
> protocol
>
> Manish,
>
> On 1/31/20 8:01 PM, Palod, Manish wrote:
>> I will look forward for future release with enhanced info about
>> connection.
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=64110
>
> Patches are always welcome.
>
> -chris
>
>> -----Original Message----- From: Christopher Schultz
>> <ch...@christopherschultz.net> Sent: Saturday, February 1, 2020
>> 12:03 AM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs
>> for failure request with unsupported cipher and unsupported SSL
>> protocol
>
>> Manish,
>
>> On 1/30/20 3:12 AM, Palod, Manish wrote:
>>> Thanks Mark and Chris for providing the info.
>
>>>> IIRC, we are parsing a little of the initial handshake packet
>>>> for a few things. Would it be possible to snatch the protocol
>>>> version from there and report it in the log file?
>
>>> Manish> is this available into some log file today
>
>> No.
>
>>> and this be added into some future release.
>
>> I was asking about the feasibility of adding it in the future.
>> Mark knows the code very well and is in a good position to
>> comment. The data should be available, but we might need to do
>> some work to get it into the right place so it makes it into the
>> access log itself (since there is no actual "request" in this
>> case).
>
>>>> The cipher suite of course is never going to exist because
>>>> there was no overlap between the client and the server, but
>>>> the protocol always has a single value for a handshake
>>>> attempt.
>
>>> Manish> What happens in case connection is in TLSv1.2 but with
>>> unsupported cipher, will this information show up?
>> Theoretically, you could get a report of "TLSv1.2" for the
>> protocol, but the cipher suite would say "-" (or similar).
>
>>> Our requirement is to audit all the connection to the server
>>> [successful and failed both] and in case of failure, reason for
>>> failure.
>> You will never truly be able to know the reason for every
>> failure. That requirement is impossible to meet.
>
>> -chris
>
>>> -----Original Message----- From: Christopher Schultz
>>> <ch...@christopherschultz.net> Sent: Wednesday, January 29,
>>> 2020 9:32 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7:
>>> logs for failure request with unsupported cipher and
>>> unsupported SSL protocol
>
>>> CAUTION: External email. Do not click links or open attachments
>>> unless you recognize the sender and know the content is safe.
>
>>> Mark,
>
>>> On 1/29/20 7:56 AM, Mark Thomas wrote:
>>>> On 29/01/2020 12:40, Palod, Manish wrote:
>>>>> Hi All,
>>>>>
>>>>>
>>>>> I am using tomcat 7 and in our server we support connection
>>>>> only with "TLSv1.2" and cipher
>>>>> "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
>>>>>
>>>>>
>>>>>
>>>>> Following is the Access valve pattern "%{E M/d/y @
>>>>> hh:mm:ss.S a z}t %a (%{X-Forwarded-For}i) > %A:%p
>>>>> "%r" %{requestBodyLength}r %D %s %B %I
>>>>> "%{Referer}i" "%{User-Agent}i" %u
>>>>> %{username}s %{sessionTracker}s with TLS protocol
>>>>> %{org.apache.tomcat.util.net.secure_protocol_version}r and
>>>>> Cipher %{javax.servlet.request.cipher_suite}r"
>>>>>
>>>>>
>>>>>
>>>>> and we are able to see following logs for successful
>>>>> connection:
>>>>>
>>>>>
>>>>>
>>>>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) >
>>>>> <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66,
>>>>> "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0
>>>>> (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
>>>>> like Gecko) Chrome/79.0.3945.130 Safari/537.36" - - - with
>>>>> TLS protocol TLSv1.2 and Cipher
>>>>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>>>
>>>>>
>>>>> But in case when request is made with ex. SSLv3, TLSv1 or
>>>>> unsupported ciphers, Server is rejecting the request but no
>>>>> audit message is coming into the access logs.
>>>>>
>>>>> How can I get details about these requests with unsupported
>>>>> ciphers and unsupported SSL protocols?
>
>>>> From Tomcat, you can't.
>
>>>> If you upgrade to 8.5.x onwards you will get a 400 in the
>>>> access logs. You won't get the protocol or cipher information
>>>> since that requires a successful TLS connection before it is
>>>> populated.
>
>>> IIRC, we are parsing a little of the initial handshake packet
>>> for a few things. Would it be possible to snatch the protocol
>>> version from there and report it in the log file? The cipher
>>> suite of course is never going to exist because there was no
>>> overlap between the client and the server, but the protocol
>>> always has a single value for a handshake attempt.
>
>>> -chris
>
>>> --------------------------------------------------------------------
- -
>
>>>
>>>
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>>> --------------------------------------------------------------------
- -
>
>>>
>>>
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>> ---------------------------------------------------------------------
>
>>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>> ---------------------------------------------------------------------
>
>>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl44J9EACgkQHPApP6U8
pFjx0RAAuJq3UIEhPA6QWjPC2afKGoHEPCyUQj/GYKz7RrHRzAG0gcziQpp/RChY
MYxs/rbAoEWp0IV3hYrU0S5jH0TeLIq0vgSY+ktYTjFE91p3GYvbZp+/JWfKu6TA
57L+5bmYn9mABhC7flQu4E3Morb9rqBAXym7XcHFKY3+/t1JwoVNnFG4+EyRI5tr
JerJqHFb5ofAPvYQv7VTwLfcx+YzU8PxW4eCl+Wcxsuju/FgeuyyjNMMuYvEf428
txIgO48egCYOA3PD271kMiIsSCXyYMsfAVmQG80iHt49kfc0hxpsNejg4PtX6I5+
6Swpnw8yS/Ituj0dZQk30wvbtJiNhhi4TWXYQ5O7aOTpXR3qNW0MiXNu0HLesk76
dMlf93tGzgcLeFc/aRXB48aFK4cDsoms1sE7HM+zJnWdqLNGTSden9xVVeq3HIoa
uHfsRDUa+2NKmocJ2aFfFdmWTqbuxO8Wr7TvpxQtTOI9aw9szshhB8QyQvq1ImGb
Nmns0q58G2uJDPO96r9PB1AYryJNCZXCjyOGKhu2z67AsuT6QeR7o3RwSYa3tvgN
U+LoQsGUspm1387rfprrQoVfH69I4eP+hgW/LEiUqMEM13MIeByKx1s3D4HdgbDC
YT7ul7kWZyOGcBzGkkA7C+jqBxqhTRGFoVGrAs9lkJ1JUqtsGnM=
=O6XP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 7: logs for failure request with unsupported cipher and
unsupported SSL protocol
Posted by "Palod, Manish" <Ma...@McAfee.com>.
Thanks Chris for considering this for future release.
In future will the fix be ported into Tomcat 7 also?
Regards
Manish
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Saturday, February 1, 2020 9:54 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat 7: logs for failure request with unsupported cipher and unsupported SSL protocol
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Manish,
On 1/31/20 8:01 PM, Palod, Manish wrote:
> I will look forward for future release with enhanced info about
> connection.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64110
Patches are always welcome.
- -chris
> -----Original Message----- From: Christopher Schultz
> <ch...@christopherschultz.net> Sent: Saturday, February 1, 2020
> 12:03 AM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for
> failure request with unsupported cipher and unsupported SSL protocol
>
> Manish,
>
> On 1/30/20 3:12 AM, Palod, Manish wrote:
>> Thanks Mark and Chris for providing the info.
>
>>> IIRC, we are parsing a little of the initial handshake packet for a
>>> few things. Would it be possible to snatch the protocol version from
>>> there and report it in the log file?
>
>> Manish> is this available into some log file today
>
> No.
>
>> and this be added into some future release.
>
> I was asking about the feasibility of adding it in the future. Mark
> knows the code very well and is in a good position to comment. The
> data should be available, but we might need to do some work to get it
> into the right place so it makes it into the access log itself (since
> there is no actual "request" in this case).
>
>>> The cipher suite of course is never going to exist because there was
>>> no overlap between the client and the server, but the protocol
>>> always has a single value for a handshake attempt.
>
>> Manish> What happens in case connection is in TLSv1.2 but with
>> unsupported cipher, will this information show up?
> Theoretically, you could get a report of "TLSv1.2" for the protocol,
> but the cipher suite would say "-" (or similar).
>
>> Our requirement is to audit all the connection to the server
>> [successful and failed both] and in case of failure, reason for
>> failure.
> You will never truly be able to know the reason for every failure.
> That requirement is impossible to meet.
>
> -chris
>
>> -----Original Message----- From: Christopher Schultz
>> <ch...@christopherschultz.net> Sent: Wednesday, January 29, 2020
>> 9:32 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for
>> failure request with unsupported cipher and unsupported SSL protocol
>
>> CAUTION: External email. Do not click links or open attachments
>> unless you recognize the sender and know the content is safe.
>
>> Mark,
>
>> On 1/29/20 7:56 AM, Mark Thomas wrote:
>>> On 29/01/2020 12:40, Palod, Manish wrote:
>>>> Hi All,
>>>>
>>>>
>>>> I am using tomcat 7 and in our server we support connection only
>>>> with "TLSv1.2" and cipher "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
>>>>
>>>>
>>>>
>>>> Following is the Access valve pattern "%{E M/d/y @ hh:mm:ss.S a z}t
>>>> %a (%{X-Forwarded-For}i) > %A:%p "%r"
>>>> %{requestBodyLength}r %D %s %B %I "%{Referer}i"
>>>> "%{User-Agent}i" %u %{username}s %{sessionTracker}s with
>>>> TLS protocol %{org.apache.tomcat.util.net.secure_protocol_version}r
>>>> and Cipher %{javax.servlet.request.cipher_suite}r"
>>>>
>>>>
>>>>
>>>> and we are able to see following logs for successful
>>>> connection:
>>>>
>>>>
>>>>
>>>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) >
>>>> <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66,
>>>> "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0 (Windows
>>>> NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
>>>> Chrome/79.0.3945.130 Safari/537.36" - - - with TLS protocol TLSv1.2
>>>> and Cipher
>>>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>>
>>>>
>>>> But in case when request is made with ex. SSLv3, TLSv1 or
>>>> unsupported ciphers, Server is rejecting the request but no audit
>>>> message is coming into the access logs.
>>>>
>>>> How can I get details about these requests with unsupported ciphers
>>>> and unsupported SSL protocols?
>
>>> From Tomcat, you can't.
>
>>> If you upgrade to 8.5.x onwards you will get a 400 in the access
>>> logs. You won't get the protocol or cipher information since that
>>> requires a successful TLS connection before it is populated.
>
>> IIRC, we are parsing a little of the initial handshake packet for a
>> few things. Would it be possible to snatch the protocol version from
>> there and report it in the log file? The cipher suite of course is
>> never going to exist because there was no overlap between the client
>> and the server, but the protocol always has a single value for a
>> handshake attempt.
>
>> -chris
>
>> ---------------------------------------------------------------------
>
>>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>> ---------------------------------------------------------------------
>
>>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl41piQACgkQHPApP6U8
pFhlfA//d1/R1xucnGwyDKTU6B61Jk4VD5+NasK6W3LuUUOHpgVnnubKhQ62AEdY
GGcYickmCzC3a+Ly2zbGirBDhvMLKq/Nr63y25xN8xt+OfiArdpR2LT1s4ZLLCaB
xz2Xe3zt0eHhtf5Wulmbg9fPYhTUuKSKCldNX2iOYnoCuWkj4EoMsaf41F9nDriS
M2TLXR0UqgDYgzk9YsGKVGJi6LsAmdUvM5M8CPHfHCFFCdloORnBxLl3G0YAm4KP
QZNIwvMNZuy6EbOAwqk8pRwZ8sxpEcc2SZswTD6PPhPNtZA0/IFUSNBnYwUuJvIz
XQtQckzO5iFKJlA1s8lZi+YWMJNYKJshoGVaXxhHSHKUysyfxZEkLwXtq024aQhP
E/9ZIMLGa9LxBxS641yfHtHbaf3+1od/0Y5i5hcjxrUTqrbbfJiv8UMJYd0foRNY
7syJtuDQBcyJt76jJNcTE3xb2/xzQnlf/oIIKkDMLiQJl530A1BoQaqppVa/x/eb
eQ8NvLZ1hAiBN7k8/7J6By6JY7+XQCKyMcPJTvxyl4bWfochkEJVNJD8iVYvFDMW
UsjAcfOCnYhanYD4WVMAiaFDmVil4G4ZP//C2uNTxw/no4nZa//7xOowi+401TCi
hzwRZIEa7TChDWNUKgUag/4KxOxES0zIV9R27BtCsZ6So7La6m4=
=WFWz
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7: logs for failure request with unsupported cipher and
unsupported SSL protocol
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Manish,
On 1/31/20 8:01 PM, Palod, Manish wrote:
> I will look forward for future release with enhanced info about
> connection.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64110
Patches are always welcome.
- -chris
> -----Original Message----- From: Christopher Schultz
> <ch...@christopherschultz.net> Sent: Saturday, February 1, 2020
> 12:03 AM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs
> for failure request with unsupported cipher and unsupported SSL
> protocol
>
> Manish,
>
> On 1/30/20 3:12 AM, Palod, Manish wrote:
>> Thanks Mark and Chris for providing the info.
>
>>> IIRC, we are parsing a little of the initial handshake packet
>>> for a few things. Would it be possible to snatch the protocol
>>> version from there and report it in the log file?
>
>> Manish> is this available into some log file today
>
> No.
>
>> and this be added into some future release.
>
> I was asking about the feasibility of adding it in the future. Mark
> knows the code very well and is in a good position to comment. The
> data should be available, but we might need to do some work to get
> it into the right place so it makes it into the access log itself
> (since there is no actual "request" in this case).
>
>>> The cipher suite of course is never going to exist because
>>> there was no overlap between the client and the server, but the
>>> protocol always has a single value for a handshake attempt.
>
>> Manish> What happens in case connection is in TLSv1.2 but with
>> unsupported cipher, will this information show up?
> Theoretically, you could get a report of "TLSv1.2" for the
> protocol, but the cipher suite would say "-" (or similar).
>
>> Our requirement is to audit all the connection to the server
>> [successful and failed both] and in case of failure, reason for
>> failure.
> You will never truly be able to know the reason for every failure.
> That requirement is impossible to meet.
>
> -chris
>
>> -----Original Message----- From: Christopher Schultz
>> <ch...@christopherschultz.net> Sent: Wednesday, January 29, 2020
>> 9:32 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs
>> for failure request with unsupported cipher and unsupported SSL
>> protocol
>
>> CAUTION: External email. Do not click links or open attachments
>> unless you recognize the sender and know the content is safe.
>
>> Mark,
>
>> On 1/29/20 7:56 AM, Mark Thomas wrote:
>>> On 29/01/2020 12:40, Palod, Manish wrote:
>>>> Hi All,
>>>>
>>>>
>>>> I am using tomcat 7 and in our server we support connection
>>>> only with "TLSv1.2" and cipher
>>>> "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
>>>>
>>>>
>>>>
>>>> Following is the Access valve pattern "%{E M/d/y @ hh:mm:ss.S
>>>> a z}t %a (%{X-Forwarded-For}i) > %A:%p "%r"
>>>> %{requestBodyLength}r %D %s %B %I "%{Referer}i"
>>>> "%{User-Agent}i" %u %{username}s %{sessionTracker}s
>>>> with TLS protocol
>>>> %{org.apache.tomcat.util.net.secure_protocol_version}r and
>>>> Cipher %{javax.servlet.request.cipher_suite}r"
>>>>
>>>>
>>>>
>>>> and we are able to see following logs for successful
>>>> connection:
>>>>
>>>>
>>>>
>>>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) >
>>>> <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66,
>>>> "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0
>>>> (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
>>>> like Gecko) Chrome/79.0.3945.130 Safari/537.36" - - - with
>>>> TLS protocol TLSv1.2 and Cipher
>>>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>>
>>>>
>>>> But in case when request is made with ex. SSLv3, TLSv1 or
>>>> unsupported ciphers, Server is rejecting the request but no
>>>> audit message is coming into the access logs.
>>>>
>>>> How can I get details about these requests with unsupported
>>>> ciphers and unsupported SSL protocols?
>
>>> From Tomcat, you can't.
>
>>> If you upgrade to 8.5.x onwards you will get a 400 in the
>>> access logs. You won't get the protocol or cipher information
>>> since that requires a successful TLS connection before it is
>>> populated.
>
>> IIRC, we are parsing a little of the initial handshake packet for
>> a few things. Would it be possible to snatch the protocol version
>> from there and report it in the log file? The cipher suite of
>> course is never going to exist because there was no overlap
>> between the client and the server, but the protocol always has a
>> single value for a handshake attempt.
>
>> -chris
>
>> ---------------------------------------------------------------------
>
>>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>> ---------------------------------------------------------------------
>
>>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl41piQACgkQHPApP6U8
pFhlfA//d1/R1xucnGwyDKTU6B61Jk4VD5+NasK6W3LuUUOHpgVnnubKhQ62AEdY
GGcYickmCzC3a+Ly2zbGirBDhvMLKq/Nr63y25xN8xt+OfiArdpR2LT1s4ZLLCaB
xz2Xe3zt0eHhtf5Wulmbg9fPYhTUuKSKCldNX2iOYnoCuWkj4EoMsaf41F9nDriS
M2TLXR0UqgDYgzk9YsGKVGJi6LsAmdUvM5M8CPHfHCFFCdloORnBxLl3G0YAm4KP
QZNIwvMNZuy6EbOAwqk8pRwZ8sxpEcc2SZswTD6PPhPNtZA0/IFUSNBnYwUuJvIz
XQtQckzO5iFKJlA1s8lZi+YWMJNYKJshoGVaXxhHSHKUysyfxZEkLwXtq024aQhP
E/9ZIMLGa9LxBxS641yfHtHbaf3+1od/0Y5i5hcjxrUTqrbbfJiv8UMJYd0foRNY
7syJtuDQBcyJt76jJNcTE3xb2/xzQnlf/oIIKkDMLiQJl530A1BoQaqppVa/x/eb
eQ8NvLZ1hAiBN7k8/7J6By6JY7+XQCKyMcPJTvxyl4bWfochkEJVNJD8iVYvFDMW
UsjAcfOCnYhanYD4WVMAiaFDmVil4G4ZP//C2uNTxw/no4nZa//7xOowi+401TCi
hzwRZIEa7TChDWNUKgUag/4KxOxES0zIV9R27BtCsZ6So7La6m4=
=WFWz
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 7: logs for failure request with unsupported cipher and
unsupported SSL protocol
Posted by "Palod, Manish" <Ma...@McAfee.com>.
Thanks Chris for the updates.
I will look forward for future release with enhanced info about connection.
Regards
Manish
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Saturday, February 1, 2020 12:03 AM
To: users@tomcat.apache.org
Subject: Re: Tomcat 7: logs for failure request with unsupported cipher and unsupported SSL protocol
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Manish,
On 1/30/20 3:12 AM, Palod, Manish wrote:
> Thanks Mark and Chris for providing the info.
>
>> IIRC, we are parsing a little of the initial handshake packet for a
>> few things. Would it be possible to snatch the protocol version from
>> there and report it in the log file?
>
> Manish> is this available into some log file today
No.
> and this be added into some future release.
I was asking about the feasibility of adding it in the future. Mark knows the code very well and is in a good position to comment. The data should be available, but we might need to do some work to get it into the right place so it makes it into the access log itself (since there is no actual "request" in this case).
>> The cipher suite of course is never going to exist because there was
>> no overlap between the client and the server, but the protocol always
>> has a single value for a handshake attempt.
>
> Manish> What happens in case connection is in TLSv1.2 but with
> unsupported cipher, will this information show up?
Theoretically, you could get a report of "TLSv1.2" for the protocol, but the cipher suite would say "-" (or similar).
> Our requirement is to audit all the connection to the server
> [successful and failed both] and in case of failure, reason for
> failure.
You will never truly be able to know the reason for every failure.
That requirement is impossible to meet.
- -chris
> -----Original Message----- From: Christopher Schultz
> <ch...@christopherschultz.net> Sent: Wednesday, January 29, 2020
> 9:32 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for
> failure request with unsupported cipher and unsupported SSL protocol
>
> CAUTION: External email. Do not click links or open attachments unless
> you recognize the sender and know the content is safe.
>
> Mark,
>
> On 1/29/20 7:56 AM, Mark Thomas wrote:
>> On 29/01/2020 12:40, Palod, Manish wrote:
>>> Hi All,
>>>
>>>
>>> I am using tomcat 7 and in our server we support connection only
>>> with "TLSv1.2" and cipher "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
>>>
>>>
>>>
>>> Following is the Access valve pattern "%{E M/d/y @ hh:mm:ss.S a z}t
>>> %a (%{X-Forwarded-For}i) > %A:%p "%r"
>>> %{requestBodyLength}r %D %s %B %I "%{Referer}i"
>>> "%{User-Agent}i" %u %{username}s %{sessionTracker}s with
>>> TLS protocol %{org.apache.tomcat.util.net.secure_protocol_version}r
>>> and Cipher %{javax.servlet.request.cipher_suite}r"
>>>
>>>
>>>
>>> and we are able to see following logs for successful
>>> connection:
>>>
>>>
>>>
>>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) >
>>> <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66,
>>> "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0 (Windows NT
>>> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
>>> Gecko) Chrome/79.0.3945.130 Safari/537.36" - - - with TLS protocol
>>> TLSv1.2 and Cipher
>>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>
>>>
>>> But in case when request is made with ex. SSLv3, TLSv1 or
>>> unsupported ciphers, Server is rejecting the request but no audit
>>> message is coming into the access logs.
>>>
>>> How can I get details about these requests with unsupported ciphers
>>> and unsupported SSL protocols?
>
>> From Tomcat, you can't.
>
>> If you upgrade to 8.5.x onwards you will get a 400 in the access
>> logs. You won't get the protocol or cipher information since that
>> requires a successful TLS connection before it is populated.
>
> IIRC, we are parsing a little of the initial handshake packet for a
> few things. Would it be possible to snatch the protocol version from
> there and report it in the log file? The cipher suite of course is
> never going to exist because there was no overlap between the client
> and the server, but the protocol always has a single value for a
> handshake attempt.
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl40csMACgkQHPApP6U8
pFjnEQ/+OB4kuNwaVzkqGmfahdI1LZsqdvqQjBamVTKcQJu2o4SkjvBjhILvOK8T
PcQ2kv00KIdt62DH70557j+g6PQvNbK9hXnOYSIF7grz09TVrbzRZyntw3Uvre/6
rxsGX0z/4jVxyoAUl9tGV5jNY0dOCEq0P8hiR4gzyiEwPUgCJv2mpR1yQPiXUJ/x
+zcKy1bq1nLJDL6mRrxE8N4vkCAiwSQGra4Q6Zjse5OTSE8a6V3ZPZ3EAsQ0p3rZ
2ltVntHnMFiYaMeun3t/OzpdNCbTWQJKzMbZRUzudUdP78RYqmvCNgl50s2GWAka
DBhhW1lwJW9owrPwHf8n0RD8tBgM9D9fl+SRftVAM9CSfryRYEk7uzOtMcBYPdRN
tA4B6EgDukNHB58CFzc26M+vg14pypdowbTW+uHYkO0CletfQ1IVxmaYuLLhldLX
EiDHg4aqYj9ahaWMGLaKz69816hMCeAbHeaWLpGJao/A5DHfa6OtQ/IAoIoK35Sm
OPuKY13VfCBCBjqdund4QSVARYcXWlfxq5RIcO5zkVY/CySpBxSmhsi7E+ZpmsFd
SlAO9/umF9VzpVN74pSZoGk/xTvoJJeVtxYEbdElLwPT7IgqThEmP956yD7StVpp
7lTDHmZS7lIlUP6IRvKNC1iI2thU+aFsNCzGnSZiVfhIq5O0q3I=
=G4Rv
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7: logs for failure request with unsupported cipher and
unsupported SSL protocol
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Manish,
On 1/30/20 3:12 AM, Palod, Manish wrote:
> Thanks Mark and Chris for providing the info.
>
>> IIRC, we are parsing a little of the initial handshake packet for
>> a few things. Would it be possible to snatch the protocol
>> version from there and report it in the log file?
>
> Manish> is this available into some log file today
No.
> and this be added into some future release.
I was asking about the feasibility of adding it in the future. Mark
knows the code very well and is in a good position to comment. The
data should be available, but we might need to do some work to get it
into the right place so it makes it into the access log itself (since
there is no actual "request" in this case).
>> The cipher suite of course is never going to exist because there
>> was no overlap between the client and the server, but the
>> protocol always has a single value for a handshake attempt.
>
> Manish> What happens in case connection is in TLSv1.2 but with
> unsupported cipher, will this information show up?
Theoretically, you could get a report of "TLSv1.2" for the protocol,
but the cipher suite would say "-" (or similar).
> Our requirement is to audit all the connection to the server
> [successful and failed both] and in case of failure, reason for
> failure.
You will never truly be able to know the reason for every failure.
That requirement is impossible to meet.
- -chris
> -----Original Message----- From: Christopher Schultz
> <ch...@christopherschultz.net> Sent: Wednesday, January 29, 2020
> 9:32 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for
> failure request with unsupported cipher and unsupported SSL
> protocol
>
> CAUTION: External email. Do not click links or open attachments
> unless you recognize the sender and know the content is safe.
>
> Mark,
>
> On 1/29/20 7:56 AM, Mark Thomas wrote:
>> On 29/01/2020 12:40, Palod, Manish wrote:
>>> Hi All,
>>>
>>>
>>> I am using tomcat 7 and in our server we support connection
>>> only with "TLSv1.2" and cipher
>>> "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
>>>
>>>
>>>
>>> Following is the Access valve pattern "%{E M/d/y @ hh:mm:ss.S a
>>> z}t %a (%{X-Forwarded-For}i) > %A:%p "%r"
>>> %{requestBodyLength}r %D %s %B %I "%{Referer}i"
>>> "%{User-Agent}i" %u %{username}s %{sessionTracker}s
>>> with TLS protocol
>>> %{org.apache.tomcat.util.net.secure_protocol_version}r and
>>> Cipher %{javax.servlet.request.cipher_suite}r"
>>>
>>>
>>>
>>> and we are able to see following logs for successful
>>> connection:
>>>
>>>
>>>
>>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) >
>>> <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66,
>>> "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0
>>> (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
>>> Gecko) Chrome/79.0.3945.130 Safari/537.36" - - - with TLS
>>> protocol TLSv1.2 and Cipher
>>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>
>>>
>>> But in case when request is made with ex. SSLv3, TLSv1 or
>>> unsupported ciphers, Server is rejecting the request but no
>>> audit message is coming into the access logs.
>>>
>>> How can I get details about these requests with unsupported
>>> ciphers and unsupported SSL protocols?
>
>> From Tomcat, you can't.
>
>> If you upgrade to 8.5.x onwards you will get a 400 in the access
>> logs. You won't get the protocol or cipher information since that
>> requires a successful TLS connection before it is populated.
>
> IIRC, we are parsing a little of the initial handshake packet for a
> few things. Would it be possible to snatch the protocol version
> from there and report it in the log file? The cipher suite of
> course is never going to exist because there was no overlap between
> the client and the server, but the protocol always has a single
> value for a handshake attempt.
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl40csMACgkQHPApP6U8
pFjnEQ/+OB4kuNwaVzkqGmfahdI1LZsqdvqQjBamVTKcQJu2o4SkjvBjhILvOK8T
PcQ2kv00KIdt62DH70557j+g6PQvNbK9hXnOYSIF7grz09TVrbzRZyntw3Uvre/6
rxsGX0z/4jVxyoAUl9tGV5jNY0dOCEq0P8hiR4gzyiEwPUgCJv2mpR1yQPiXUJ/x
+zcKy1bq1nLJDL6mRrxE8N4vkCAiwSQGra4Q6Zjse5OTSE8a6V3ZPZ3EAsQ0p3rZ
2ltVntHnMFiYaMeun3t/OzpdNCbTWQJKzMbZRUzudUdP78RYqmvCNgl50s2GWAka
DBhhW1lwJW9owrPwHf8n0RD8tBgM9D9fl+SRftVAM9CSfryRYEk7uzOtMcBYPdRN
tA4B6EgDukNHB58CFzc26M+vg14pypdowbTW+uHYkO0CletfQ1IVxmaYuLLhldLX
EiDHg4aqYj9ahaWMGLaKz69816hMCeAbHeaWLpGJao/A5DHfa6OtQ/IAoIoK35Sm
OPuKY13VfCBCBjqdund4QSVARYcXWlfxq5RIcO5zkVY/CySpBxSmhsi7E+ZpmsFd
SlAO9/umF9VzpVN74pSZoGk/xTvoJJeVtxYEbdElLwPT7IgqThEmP956yD7StVpp
7lTDHmZS7lIlUP6IRvKNC1iI2thU+aFsNCzGnSZiVfhIq5O0q3I=
=G4Rv
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 7: logs for failure request with unsupported cipher and
unsupported SSL protocol
Posted by "Palod, Manish" <Ma...@McAfee.com>.
Thanks Mark and Chris for providing the info.
IIRC, we are parsing a little of the initial handshake packet for a few things. Would it be possible to snatch the protocol version from there and report it in the log file?
Manish> is this available into some log file today and this be added into some future release.
The cipher suite of course is never going to exist because there was no overlap between the client and the server, but the protocol always has a single value for a handshake attempt.
Manish> What happens in case connection is in TLSv1.2 but with unsupported cipher, will this information show up?
Our requirement is to audit all the connection to the server [successful and failed both] and in case of failure, reason for failure.
Regards
Manish
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Wednesday, January 29, 2020 9:32 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat 7: logs for failure request with unsupported cipher and unsupported SSL protocol
CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 1/29/20 7:56 AM, Mark Thomas wrote:
> On 29/01/2020 12:40, Palod, Manish wrote:
>> Hi All,
>>
>>
>> I am using tomcat 7 and in our server we support connection only with
>> "TLSv1.2" and cipher "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
>>
>>
>>
>> Following is the Access valve pattern "%{E M/d/y @ hh:mm:ss.S a z}t
>> %a (%{X-Forwarded-For}i) > %A:%p "%r" %{requestBodyLength}r
>> %D %s %B %I "%{Referer}i" "%{User-Agent}i" %u
>> %{username}s %{sessionTracker}s with TLS protocol
>> %{org.apache.tomcat.util.net.secure_protocol_version}r and Cipher
>> %{javax.servlet.request.cipher_suite}r"
>>
>>
>>
>> and we are able to see following logs for successful connection:
>>
>>
>>
>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) >
>> <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66,
>> "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0 (Windows NT
>> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
>> Chrome/79.0.3945.130 Safari/537.36" - - - with TLS protocol
>> TLSv1.2 and Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>
>>
>> But in case when request is made with ex. SSLv3, TLSv1 or unsupported
>> ciphers, Server is rejecting the request but no audit message is
>> coming into the access logs.
>>
>> How can I get details about these requests with unsupported ciphers
>> and unsupported SSL protocols?
>
> From Tomcat, you can't.
>
> If you upgrade to 8.5.x onwards you will get a 400 in the access logs.
> You won't get the protocol or cipher information since that requires a
> successful TLS connection before it is populated.
IIRC, we are parsing a little of the initial handshake packet for a few things. Would it be possible to snatch the protocol version from there and report it in the log file? The cipher suite of course is never going to exist because there was no overlap between the client and the server, but the protocol always has a single value for a handshake attempt.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4xrIsACgkQHPApP6U8
pFgkNA/9FGRMi+DAxJVw8053fak0zPLbNsEHEdWmdtFI3NXIWpS8weMTEN2/RMM+
BA9pbkLvEk25+d8cWiCSIJWuhkB6chftwCdddKnFeIwhSgPl3hCG1qY3ruDEUj2y
/RpWObYXvQ+pbZoRGCHaTKg1pYL5ZJBvQMU+1qzivU0HViHbYa4PA2+NpNODmFgv
gVKuT/1UTH9rtTiDaBkAewJ+s9/wC2csQefZieIqP0WTnhC+ou26844WU1K+1uaV
i6S2YiMb7jP8dXD6QSUdbcFFmbC9ELIIXKp3b7X2nnSW6O4YWk8TYVAFLA9lhqvL
IKr6UtxfSLa+8CBrSdxYEdpT5tBcWtyERKyMuIlj/p2P445CfXkpR4Y4quTqULUZ
os7sR5AI20U9jsKhweDyBX6a8HxpGM+iAl+/GdUkMguflZSl1VNVfk1RcMNo2dCM
XqdIPSiqQBCIC1g/x6xKyU/g2J6NBtwCHuFzbYHxAP89zI1t5WZpyaM6eoB1G/wO
sFLHWgNzXAT3wCye+5c2g4S5QR/79HpOi1hnHduUymxI+Eax8jwE4Wa/XfubPICz
YXoT1fOcloWuFViRZi8qqviECzBEmw/RaJNGVK9yNf6E38N7ukJlWpn1fJi2rBh6
/Ztl6OijnH+25X8rFMPIbpdY04E3hQlw6Gqc7b+EBd6M8+hd1ZM=
=gYme
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7: logs for failure request with unsupported cipher and
unsupported SSL protocol
Posted by Mark Thomas <ma...@apache.org>.
On 29/01/2020 16:02, Christopher Schultz wrote:
> Mark,
>
> On 1/29/20 7:56 AM, Mark Thomas wrote:
>> On 29/01/2020 12:40, Palod, Manish wrote:
>>> Hi All,
>>>
>>>
>>> I am using tomcat 7 and in our server we support connection only
>>> with "TLSv1.2" and cipher
>>> "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
>>>
>>>
>>>
>>> Following is the Access valve pattern "%{E M/d/y @ hh:mm:ss.S a
>>> z}t %a (%{X-Forwarded-For}i) > %A:%p "%r"
>>> %{requestBodyLength}r %D %s %B %I "%{Referer}i"
>>> "%{User-Agent}i" %u %{username}s %{sessionTracker}s
>>> with TLS protocol
>>> %{org.apache.tomcat.util.net.secure_protocol_version}r and Cipher
>>> %{javax.servlet.request.cipher_suite}r"
>>>
>>>
>>>
>>> and we are able to see following logs for successful connection:
>>>
>>>
>>>
>>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) >
>>> <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66,
>>> "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0 (Windows
>>> NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
>>> Chrome/79.0.3945.130 Safari/537.36" - - - with TLS protocol
>>> TLSv1.2 and Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>
>>>
>>> But in case when request is made with ex. SSLv3, TLSv1 or
>>> unsupported ciphers, Server is rejecting the request but no audit
>>> message is coming into the access logs.
>>>
>>> How can I get details about these requests with unsupported
>>> ciphers and unsupported SSL protocols?
>
>> From Tomcat, you can't.
>
>> If you upgrade to 8.5.x onwards you will get a 400 in the access
>> logs. You won't get the protocol or cipher information since that
>> requires a successful TLS connection before it is populated.
>
> IIRC, we are parsing a little of the initial handshake packet for a
> few things. Would it be possible to snatch the protocol version from
> there and report it in the log file? The cipher suite of course is
> never going to exist because there was no overlap between the client
> and the server, but the protocol always has a single value for a
> handshake attempt.
Potentially. I haven't looked at how easy it would be to insert the
protocol in the right place so the access log valve picks it up.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7: logs for failure request with unsupported cipher and
unsupported SSL protocol
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 1/29/20 7:56 AM, Mark Thomas wrote:
> On 29/01/2020 12:40, Palod, Manish wrote:
>> Hi All,
>>
>>
>> I am using tomcat 7 and in our server we support connection only
>> with "TLSv1.2" and cipher
>> "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
>>
>>
>>
>> Following is the Access valve pattern "%{E M/d/y @ hh:mm:ss.S a
>> z}t %a (%{X-Forwarded-For}i) > %A:%p "%r"
>> %{requestBodyLength}r %D %s %B %I "%{Referer}i"
>> "%{User-Agent}i" %u %{username}s %{sessionTracker}s
>> with TLS protocol
>> %{org.apache.tomcat.util.net.secure_protocol_version}r and Cipher
>> %{javax.servlet.request.cipher_suite}r"
>>
>>
>>
>> and we are able to see following logs for successful connection:
>>
>>
>>
>> Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) >
>> <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66,
>> "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0 (Windows
>> NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
>> Chrome/79.0.3945.130 Safari/537.36" - - - with TLS protocol
>> TLSv1.2 and Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>
>>
>> But in case when request is made with ex. SSLv3, TLSv1 or
>> unsupported ciphers, Server is rejecting the request but no audit
>> message is coming into the access logs.
>>
>> How can I get details about these requests with unsupported
>> ciphers and unsupported SSL protocols?
>
> From Tomcat, you can't.
>
> If you upgrade to 8.5.x onwards you will get a 400 in the access
> logs. You won't get the protocol or cipher information since that
> requires a successful TLS connection before it is populated.
IIRC, we are parsing a little of the initial handshake packet for a
few things. Would it be possible to snatch the protocol version from
there and report it in the log file? The cipher suite of course is
never going to exist because there was no overlap between the client
and the server, but the protocol always has a single value for a
handshake attempt.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4xrIsACgkQHPApP6U8
pFgkNA/9FGRMi+DAxJVw8053fak0zPLbNsEHEdWmdtFI3NXIWpS8weMTEN2/RMM+
BA9pbkLvEk25+d8cWiCSIJWuhkB6chftwCdddKnFeIwhSgPl3hCG1qY3ruDEUj2y
/RpWObYXvQ+pbZoRGCHaTKg1pYL5ZJBvQMU+1qzivU0HViHbYa4PA2+NpNODmFgv
gVKuT/1UTH9rtTiDaBkAewJ+s9/wC2csQefZieIqP0WTnhC+ou26844WU1K+1uaV
i6S2YiMb7jP8dXD6QSUdbcFFmbC9ELIIXKp3b7X2nnSW6O4YWk8TYVAFLA9lhqvL
IKr6UtxfSLa+8CBrSdxYEdpT5tBcWtyERKyMuIlj/p2P445CfXkpR4Y4quTqULUZ
os7sR5AI20U9jsKhweDyBX6a8HxpGM+iAl+/GdUkMguflZSl1VNVfk1RcMNo2dCM
XqdIPSiqQBCIC1g/x6xKyU/g2J6NBtwCHuFzbYHxAP89zI1t5WZpyaM6eoB1G/wO
sFLHWgNzXAT3wCye+5c2g4S5QR/79HpOi1hnHduUymxI+Eax8jwE4Wa/XfubPICz
YXoT1fOcloWuFViRZi8qqviECzBEmw/RaJNGVK9yNf6E38N7ukJlWpn1fJi2rBh6
/Ztl6OijnH+25X8rFMPIbpdY04E3hQlw6Gqc7b+EBd6M8+hd1ZM=
=gYme
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org