Bug 64531 - mod_ssl doesn't log client IP although it would be available many times
Summary: mod_ssl doesn't log client IP although it would be available many times
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.43
Hardware: All All
: P2 enhancement with 6 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2020-06-17 07:05 UTC by Dominik Stillhard
Modified: 2020-06-17 07:07 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Dominik Stillhard 2020-06-17 07:05:27 UTC
mod_ssl uses the function ssl_log_ssl_error (ssl_engine_log.c:86) to log library errors. This function does call ap_log_error. 
My proposal would be to write a method ssl_log_ssl_cerror, which calls ap_log_cerror. This function would be called whenever a conn_rec is available instead of ssl_log_ssl_error. The advantage is that like this, we can see a client ip address in the logs, while with ap_log_error we can't. Its ok to use ap_log_error for configuration and initialization stuff, but for all connection related errors we should go for ap_log_cerror.

for example this two log lines are from one failed connection attempt, but the second line doesn't show an ip address:

   Thu May 28 11:55:04 2020 [client({c}a)=fc00::cafe:39298] [client(a)=fc00::cafe:39298] [msg="AH01996: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page"] 

   Thu May 28 11:55:04 2020 [client({c}a)=-] [client(a)=-] [msg="SSL Library Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request -- speaking HTTP to HTTPS port!?"]

I think this would bring a lot of advantages (the client ip is otfen used to correlate requests, for example by an external program that parses apache logs) for quite small effort..