Bug 64110 - Record TLS protocol in access log for connections with a failed TLS handshake
Summary: Record TLS protocol in access log for connections with a failed TLS handshake
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Connectors (show other bugs)
Version: unspecified
Hardware: PC Mac OS X 10.1
: P2 enhancement with 5 votes (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2020-02-01 16:23 UTC by Christopher Schultz
Modified: 2020-12-04 09:11 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Schultz 2020-02-01 16:23:45 UTC
For reference: https://lists.apache.org/thread.html/r7d872a09a56b539545a226813761ee3c0dcdf75787449dd8551f2f07%40%3Cusers.tomcat.apache.org%3E

When a TLS connection is attempted and failed, Tomcat will record an access log where the protocol is "-" and the cipher suite is "-" (if specified in the log string, of course).

In the event of a TLS handshake failure (e.g. no shared cipher suites, protocol not supported/configured/allowed, insufficient client-cert trust, etc.), the TLS protocol itself -- as advertised by the client -- should be a known value, and should be available to the access log instead of "-".
Comment 1 manish palod 2020-02-22 13:15:14 UTC
This applies to Tomcat 7 and Tomcat 8 also.
Comment 2 Mark Thomas 2020-11-26 14:40:25 UTC
https://github.com/apache/tomcat/pull/380 submitted for feedback.
Comment 3 Mark Thomas 2020-12-04 09:11:28 UTC
Fixed in:
- 10.0.x for 10.0.1 onwards
- 9.0.x for 9.0.42 onwards
- 8.5.x for 8.5.62 onwards