Logging failed SSL handshake?
Amos Shapira
amos.shapira at gmail.com
Fri Jan 29 08:09:43 IST 2010
Hello,
Assuming I disabled SSLv2 on my Apache 2.2 (CentOS 5) server using:
SSLProtocol all -SSLv2
Then connect to the server forcing openssl s_client to try to use SSLv2 using:
$ openssl s_client -connect c010afn01-test:443 -state -debug -ssl2
I get:
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0xddd8df0 [0xdde1501] (45 bytes => 45 (0x2D))
0000 - 80 2b 01 00 02 00 12 00-00 00 10 07 00 c0 03 00 .+..............
0010 - 80 01 00 80 06 00 40 04-00 80 02 00 80 1c 7d 5b ...... at .......}[
0020 - 7c d9 5e a9 db 37 21 06-a8 01 43 1f 61 |.^..7!...C.a
SSL_connect:SSLv2 write client hello A
read from 0xddd8df0 [0xddd94f0] (2 bytes => 0 (0x0))
SSL_connect:failed in SSLv2 read server hello A
356:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
I don't see any mention of the attempt in the Apache logs.
I added also a line like:
CustomLog "/var/log/httpd/ssl_request_log" "%t %h %{SSL_PROTOCOL}x
%{SSL_CIPHER}x \"%r\" %b"
This file indeed logs what I want (SSL version used), but not the
connection attempt from localhost.
I guess the SSL nagotiation failure happens so early that nothing else
gets a chance to log anything.
Does anyone know of a way to log SSL nagotiation failure on Apache's side?
Thanks,
--Amos
More information about the Linux-il
mailing list