[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-user
Subject: RE: Tomcat 7: logs for failure request with unsupported cipher and unsupported SSL protocol
From: "Palod, Manish" <Manish_Palod () McAfee ! com>
Date: 2020-02-21 17:24:27
Message-ID: DM5PR16MB2248761C73A008ABFAE2334F85120 () DM5PR16MB2248 ! namprd16 ! prod ! outlook ! com
[Download RAW message or body]
Hi Chris,
I am trying to debug the source code to find out the place where I will have to make \
changes to receive cipher and protocol in case of failures Not too much success.
I have narrowed upto few potential classes [may be right direction]
org/apache/tomcat/util/net/JIoEndpoint.java
org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
org/apache/tomcat/util/threads/TaskThread.java
if you can help me pointing out the classes where I will have to change the code, I \
will debug and work on them.
Regards
Manish
-----Original Message-----
From: Christopher Schultz <chris@christopherschultz.net>
Sent: Monday, February 3, 2020 7:32 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat 7: logs for failure request with unsupported cipher and \
unsupported SSL protocol
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Manish,
On 2/2/20 11:20 PM, Palod, Manish wrote:
> Thanks Chris for considering this for future release.
>
> In future will the fix be ported into Tomcat 7 also?
Let's see if anyone wants to implement this in trunk, first. If you want to prepare \
some patches/PRs, it's much more likely to go the way you hope.
- -chris
> -----Original Message----- From: Christopher Schultz
> <chris@christopherschultz.net> Sent: Saturday, February 1, 2020
> 9:54 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for
> failure request with unsupported cipher and unsupported SSL protocol
>
> Manish,
>
> On 1/31/20 8:01 PM, Palod, Manish wrote:
> > I will look forward for future release with enhanced info about
> > connection.
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=64110
>
> Patches are always welcome.
>
> -chris
>
> > -----Original Message----- From: Christopher Schultz
> > <chris@christopherschultz.net> Sent: Saturday, February 1, 2020
> > 12:03 AM To: users@tomcat.apache.org Subject: Re: Tomcat 7: logs for
> > failure request with unsupported cipher and unsupported SSL protocol
>
> > Manish,
>
> > On 1/30/20 3:12 AM, Palod, Manish wrote:
> > > Thanks Mark and Chris for providing the info.
>
> > > > IIRC, we are parsing a little of the initial handshake packet for a
> > > > few things. Would it be possible to snatch the protocol version
> > > > from there and report it in the log file?
>
> > > Manish> is this available into some log file today
>
> > No.
>
> > > and this be added into some future release.
>
> > I was asking about the feasibility of adding it in the future.
> > Mark knows the code very well and is in a good position to comment.
> > The data should be available, but we might need to do some work to
> > get it into the right place so it makes it into the access log itself
> > (since there is no actual "request" in this case).
>
> > > > The cipher suite of course is never going to exist because there
> > > > was no overlap between the client and the server, but the protocol
> > > > always has a single value for a handshake attempt.
>
> > > Manish> What happens in case connection is in TLSv1.2 but with
> > > unsupported cipher, will this information show up?
> > Theoretically, you could get a report of "TLSv1.2" for the protocol,
> > but the cipher suite would say "-" (or similar).
>
> > > Our requirement is to audit all the connection to the server
> > > [successful and failed both] and in case of failure, reason for
> > > failure.
> > You will never truly be able to know the reason for every failure.
> > That requirement is impossible to meet.
>
> > -chris
>
> > > -----Original Message----- From: Christopher Schultz
> > > <chris@christopherschultz.net> Sent: Wednesday, January 29,
> > > 2020 9:32 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7:
> > > logs for failure request with unsupported cipher and unsupported SSL
> > > protocol
>
> > > CAUTION: External email. Do not click links or open attachments
> > > unless you recognize the sender and know the content is safe.
>
> > > Mark,
>
> > > On 1/29/20 7:56 AM, Mark Thomas wrote:
> > > > On 29/01/2020 12:40, Palod, Manish wrote:
> > > > > Hi All,
> > > > >
> > > > >
> > > > > I am using tomcat 7 and in our server we support connection only
> > > > > with "TLSv1.2" and cipher "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
> > > > >
> > > > >
> > > > >
> > > > > Following is the Access valve pattern "%{E M/d/y @ hh:mm:ss.S a
> > > > > z}t %a (%{X-Forwarded-For}i) > %A:%p "%r"
> > > > > %{requestBodyLength}r %D %s %B %I "%{Referer}i"
> > > > > "%{User-Agent}i" %u %{username}s %{sessionTracker}s with
> > > > > TLS protocol
> > > > > %{org.apache.tomcat.util.net.secure_protocol_version}r and Cipher
> > > > > %{javax.servlet.request.cipher_suite}r"
> > > > >
> > > > >
> > > > >
> > > > > and we are able to see following logs for successful
> > > > > connection:
> > > > >
> > > > >
> > > > >
> > > > > Wed 1/29/2020 @ 04:19:46.6 PM IST <Source-IP> (-) >
> > > > > <Server-IP>:443 "GET /favicon.ico HTTP/1.1" - 1 404 66,
> > > > > "https://xx.xx.xx.xx/ /html/popCheck.html" "Mozilla/5.0 (Windows
> > > > > NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
> > > > > Chrome/79.0.3945.130 Safari/537.36" - - - with TLS protocol
> > > > > TLSv1.2 and Cipher
> > > > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> > > > >
> > > > >
> > > > > But in case when request is made with ex. SSLv3, TLSv1 or
> > > > > unsupported ciphers, Server is rejecting the request but no audit
> > > > > message is coming into the access logs.
> > > > >
> > > > > How can I get details about these requests with unsupported
> > > > > ciphers and unsupported SSL protocols?
>
> > > > From Tomcat, you can't.
>
> > > > If you upgrade to 8.5.x onwards you will get a 400 in the access
> > > > logs. You won't get the protocol or cipher information since that
> > > > requires a successful TLS connection before it is populated.
>
> > > IIRC, we are parsing a little of the initial handshake packet for a
> > > few things. Would it be possible to snatch the protocol version from
> > > there and report it in the log file? The cipher suite of course is
> > > never going to exist because there was no overlap between the client
> > > and the server, but the protocol always has a single value for a
> > > handshake attempt.
>
> > > -chris
>
> > > --------------------------------------------------------------------
- -
>
> > >
> > >
>
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> > > --------------------------------------------------------------------
- -
>
> > >
> > >
>
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> > ---------------------------------------------------------------------
>
> >
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> > ---------------------------------------------------------------------
>
> >
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl44J9EACgkQHPApP6U8
pFjx0RAAuJq3UIEhPA6QWjPC2afKGoHEPCyUQj/GYKz7RrHRzAG0gcziQpp/RChY
MYxs/rbAoEWp0IV3hYrU0S5jH0TeLIq0vgSY+ktYTjFE91p3GYvbZp+/JWfKu6TA
57L+5bmYn9mABhC7flQu4E3Morb9rqBAXym7XcHFKY3+/t1JwoVNnFG4+EyRI5tr
JerJqHFb5ofAPvYQv7VTwLfcx+YzU8PxW4eCl+Wcxsuju/FgeuyyjNMMuYvEf428
txIgO48egCYOA3PD271kMiIsSCXyYMsfAVmQG80iHt49kfc0hxpsNejg4PtX6I5+
6Swpnw8yS/Ituj0dZQk30wvbtJiNhhi4TWXYQ5O7aOTpXR3qNW0MiXNu0HLesk76
dMlf93tGzgcLeFc/aRXB48aFK4cDsoms1sE7HM+zJnWdqLNGTSden9xVVeq3HIoa
uHfsRDUa+2NKmocJ2aFfFdmWTqbuxO8Wr7TvpxQtTOI9aw9szshhB8QyQvq1ImGb
Nmns0q58G2uJDPO96r9PB1AYryJNCZXCjyOGKhu2z67AsuT6QeR7o3RwSYa3tvgN
U+LoQsGUspm1387rfprrQoVfH69I4eP+hgW/LEiUqMEM13MIeByKx1s3D4HdgbDC
YT7ul7kWZyOGcBzGkkA7C+jqBxqhTRGFoVGrAs9lkJ1JUqtsGnM=
=O6XP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic