logging SSL handshake failures

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

logging SSL handshake failures

Adam Weremczuk
Hi all,

I'm running Apache 2.4.25 on Debian 9 and trying to debug SSL.

Even with LogLevel set to trace8 error.log doesn't produce exhaustive
details when I e.g. try to connect using older unsupported protocol:

openssl s_client -connect www.mysite.com:443 -tls1

[Fri Jun 19 16:15:54.339546 2020] [ssl:info] [pid 11437] [client
192.168.10.196:46016] AH01964: Connection to child 2 established (server
www.mysite.com:443)
[Fri Jun 19 16:15:54.339631 2020] [ssl:trace2] [pid 11437]
ssl_engine_rand.c(126): Seeding PRNG with 656 bytes of entropy
[Fri Jun 19 16:15:54.339705 2020] [ssl:trace3] [pid 11437]
ssl_engine_kernel.c(1989): [client 192.168.10.196:46016] OpenSSL:
Handshake: start
[Fri Jun 19 16:15:54.339721 2020] [ssl:trace3] [pid 11437]
ssl_engine_kernel.c(1998): [client 192.168.10.196:46016] OpenSSL: Loop:
before/accept initialization
[Fri Jun 19 16:15:54.339737 2020] [ssl:trace4] [pid 11437]
ssl_engine_io.c(2135): [client 192.168.10.196:46016] OpenSSL: read 11/11
bytes from BIO#5641ea41b3e0 [mem: 5641ea420a40] (BIO dump follows)
[Fri Jun 19 16:15:54.339740 2020] [ssl:trace7] [pid 11437]
ssl_engine_io.c(2064):
+-------------------------------------------------------------------------+
[Fri Jun 19 16:15:54.339744 2020] [ssl:trace7] [pid 11437]
ssl_engine_io.c(2102): | 0000: 16 03 01 00 81 01 00 00-7d 03
01                 ........}..      |
[Fri Jun 19 16:15:54.339745 2020] [ssl:trace7] [pid 11437]
ssl_engine_io.c(2108):
+-------------------------------------------------------------------------+
[Fri Jun 19 16:15:54.339747 2020] [ssl:trace3] [pid 11437]
ssl_engine_kernel.c(2027): [client 192.168.10.196:46016] OpenSSL: Exit:
error in SSLv2/v3 read client hello A
[Fri Jun 19 16:15:54.339751 2020] [ssl:info] [pid 11437] [client
192.168.10.196:46016] AH02008: SSL library error 1 in handshake (server
www.mysite.com:443)
[Fri Jun 19 16:15:54.339775 2020] [ssl:info] [pid 11437] SSL Library
Error: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported
protocol
[Fri Jun 19 16:15:54.339779 2020] [ssl:info] [pid 11437] [client
192.168.10.196:46016] AH01998: Connection closed to child 2 with
abortive shutdown (server www.mysite.com:443)

It doesn't say e.g. which protocol was attempted, URL, agent etc.

This type of info doesn't seem possible here according to:

http://httpd.apache.org/docs/trunk/mod/core.html#errorlogformat

Therefore I've attempted the following:

/etc/apache2/mods-available/ssl.conf

<IfModule mod_ssl.c>
(...)
         ErrorLog /var/log/apache2/ssl_error.log
         LogLevel trace8
(...)
</IfModule>

But nothing is being logged to this file when I make various invalid SSL
requests to the server.

All I get is:

[Fri Jun 19 16:39:12.156511 2020] [core:notice] [pid 11679] AH00094:
Command line: '/usr/sbin/apache2'
[Fri Jun 19 16:39:12.156514 2020] [core:debug] [pid 11679] log.c(1546):
AH02639: Using SO_REUSEPORT: yes (1)
[Fri Jun 19 16:39:12.156521 2020] [mpm_prefork:debug] [pid 11679]
prefork.c(1032): AH00165: Accept mutex: fcntl (default: sysvsem)
[Fri Jun 19 16:39:12.156615 2020] [watchdog:debug] [pid 11686]
mod_watchdog.c(563): AH02980: Watchdog: nothing configured?

with the last message being repeated.

Is it a false positive?

apache2ctl -M | grep watchdog
[Fri Jun 19 16:42:05.186631 2020] [core:trace3] [pid 11707]
core.c(3289): Setting LogLevel for all modules to trace8
[Fri Jun 19 16:42:05.186778 2020] [core:trace3] [pid 11707]
core.c(3289): Setting LogLevel for all modules to trace8
  watchdog_module (static)

How can I log details of SSL handshake failures?

Thanks,
Adam



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]