Hi all, I'm running Apache 2.4.25 on Debian 9 and trying to debug SSL.Even with LogLevel set to trace8 error.log doesn't produce exhaustive details when I e.g. try to connect using older unsupported protocol:
openssl s_client -connect www.mysite.com:443 -tls1[Fri Jun 19 16:15:54.339546 2020] [ssl:info] [pid 11437] [client 192.168.10.196:46016] AH01964: Connection to child 2 established (server www.mysite.com:443) [Fri Jun 19 16:15:54.339631 2020] [ssl:trace2] [pid 11437] ssl_engine_rand.c(126): Seeding PRNG with 656 bytes of entropy [Fri Jun 19 16:15:54.339705 2020] [ssl:trace3] [pid 11437] ssl_engine_kernel.c(1989): [client 192.168.10.196:46016] OpenSSL: Handshake: start [Fri Jun 19 16:15:54.339721 2020] [ssl:trace3] [pid 11437] ssl_engine_kernel.c(1998): [client 192.168.10.196:46016] OpenSSL: Loop: before/accept initialization [Fri Jun 19 16:15:54.339737 2020] [ssl:trace4] [pid 11437] ssl_engine_io.c(2135): [client 192.168.10.196:46016] OpenSSL: read 11/11 bytes from BIO#5641ea41b3e0 [mem: 5641ea420a40] (BIO dump follows) [Fri Jun 19 16:15:54.339740 2020] [ssl:trace7] [pid 11437] ssl_engine_io.c(2064): +-------------------------------------------------------------------------+ [Fri Jun 19 16:15:54.339744 2020] [ssl:trace7] [pid 11437] ssl_engine_io.c(2102): | 0000: 16 03 01 00 81 01 00 00-7d 03 01 ........}.. | [Fri Jun 19 16:15:54.339745 2020] [ssl:trace7] [pid 11437] ssl_engine_io.c(2108): +-------------------------------------------------------------------------+ [Fri Jun 19 16:15:54.339747 2020] [ssl:trace3] [pid 11437] ssl_engine_kernel.c(2027): [client 192.168.10.196:46016] OpenSSL: Exit: error in SSLv2/v3 read client hello A [Fri Jun 19 16:15:54.339751 2020] [ssl:info] [pid 11437] [client 192.168.10.196:46016] AH02008: SSL library error 1 in handshake (server www.mysite.com:443) [Fri Jun 19 16:15:54.339775 2020] [ssl:info] [pid 11437] SSL Library Error: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol [Fri Jun 19 16:15:54.339779 2020] [ssl:info] [pid 11437] [client 192.168.10.196:46016] AH01998: Connection closed to child 2 with abortive shutdown (server www.mysite.com:443)
It doesn't say e.g. which protocol was attempted, URL, agent etc. This type of info doesn't seem possible here according to: http://httpd.apache.org/docs/trunk/mod/core.html#errorlogformat Therefore I've attempted the following: /etc/apache2/mods-available/ssl.conf <IfModule mod_ssl.c> (...) ErrorLog /var/log/apache2/ssl_error.log LogLevel trace8 (...) </IfModule>But nothing is being logged to this file when I make various invalid SSL requests to the server.
All I get is:[Fri Jun 19 16:39:12.156511 2020] [core:notice] [pid 11679] AH00094: Command line: '/usr/sbin/apache2' [Fri Jun 19 16:39:12.156514 2020] [core:debug] [pid 11679] log.c(1546): AH02639: Using SO_REUSEPORT: yes (1) [Fri Jun 19 16:39:12.156521 2020] [mpm_prefork:debug] [pid 11679] prefork.c(1032): AH00165: Accept mutex: fcntl (default: sysvsem) [Fri Jun 19 16:39:12.156615 2020] [watchdog:debug] [pid 11686] mod_watchdog.c(563): AH02980: Watchdog: nothing configured?
with the last message being repeated. Is it a false positive? apache2ctl -M | grep watchdog[Fri Jun 19 16:42:05.186631 2020] [core:trace3] [pid 11707] core.c(3289): Setting LogLevel for all modules to trace8 [Fri Jun 19 16:42:05.186778 2020] [core:trace3] [pid 11707] core.c(3289): Setting LogLevel for all modules to trace8
watchdog_module (static) How can I log details of SSL handshake failures? Thanks, Adam --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|