I am looking for a way to log SSL handshake error clearly. For example, https://js.passport.qihucdn.com/ is not supported by us. However, the error page is not accessed via the policy. The last step in Rule trace is End Cycle.
The log file contains the request with RC 500. I would like to collect such requests in my own logfile.
I'm pretty sure anything that gets picked up by an error handler will show in a rule trace as having reached the end of the rule set for the cycle in which it fails. At least, all of the many hundreds of SSL handshake errors I've investigated were this way.
I think there have been discussions about logging selected cipher suites. Or at least, I wanted to get some stats on whats actually in use, as there are some really lame sites out there.
But I've wanted to raise the question (and haven't gotten around to it), but can we do logging in the error handlers? And if so, what error codes do we want for error handler criteria to pick up SSL handshake errors?
Unfortunately, this is not the case. If we have a handshake error, it appears in the logfile with an RC 500. And in the rule trace, the trace ends with the end cycle in the POlicy. (at least this is in version 7.6.2).
It would help me if we could react to such a mistake in the policy. (I know in version 7.7 a lot more is possible)
If you're specifically referring to the errors which look like this:
error:14077438SL routinesSL23_GET_SERVER_HELLO:tlsv1 alert internal errorSL error at server handshake:state 25:Application response 500 handshakefailed
I pull these into a separate log file by using the criteria Message.TemplateName equals "handshakefailed" and then logging the value for Protocol.FailureDescription.