For reference: https://lists.apache.org/thread.html/r7d872a09a56b539545a226813761ee3c0dcdf75787449dd8551f2f07%40%3Cusers.tomcat.apache.org%3E When a TLS connection is attempted and failed, Tomcat will record an access log where the protocol is "-" and the cipher suite is "-" (if specified in the log string, of course). In the event of a TLS handshake failure (e.g. no shared cipher suites, protocol not supported/configured/allowed, insufficient client-cert trust, etc.), the TLS protocol itself -- as advertised by the client -- should be a known value, and should be available to the access log instead of "-".
This applies to Tomcat 7 and Tomcat 8 also.
https://github.com/apache/tomcat/pull/380 submitted for feedback.
Fixed in: - 10.0.x for 10.0.1 onwards - 9.0.x for 9.0.42 onwards - 8.5.x for 8.5.62 onwards