64110 – Record TLS protocol in access log for connections with a failed TLS handshake

Bug 64110 - Record TLS protocol in access log for connections with a failed TLS handshake

Summary: Record TLS protocol in access log for connections with a failed TLS handshake

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 9
Classification:	Unclassified
Component:	Connectors (show other bugs)
Version:	unspecified
Hardware:	PC Mac OS X 10.1

Importance:	P2 enhancement with 5 votes (vote)
Target Milestone:	-----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-02-01 16:23 UTC by Christopher Schultz
Modified:	2020-12-04 09:11 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Schultz 2020-02-01 16:23:45 UTC

For reference: https://lists.apache.org/thread.html/r7d872a09a56b539545a226813761ee3c0dcdf75787449dd8551f2f07%40%3Cusers.tomcat.apache.org%3E

When a TLS connection is attempted and failed, Tomcat will record an access log where the protocol is "-" and the cipher suite is "-" (if specified in the log string, of course).

In the event of a TLS handshake failure (e.g. no shared cipher suites, protocol not supported/configured/allowed, insufficient client-cert trust, etc.), the TLS protocol itself -- as advertised by the client -- should be a known value, and should be available to the access log instead of "-".

Comment 1 manish palod 2020-02-22 13:15:14 UTC

This applies to Tomcat 7 and Tomcat 8 also.

Comment 2 Mark Thomas 2020-11-26 14:40:25 UTC

https://github.com/apache/tomcat/pull/380 submitted for feedback.

Comment 3 Mark Thomas 2020-12-04 09:11:28 UTC

Fixed in:
- 10.0.x for 10.0.1 onwards
- 9.0.x for 9.0.42 onwards
- 8.5.x for 8.5.62 onwards