I'm pretty sure anything that gets picked up by an error handler will show in a rule trace as having reached the end of the rule set for the cycle in which it fails. At least, all of the many hundreds of SSL handshake errors I've investigated were this way.
I think there have been discussions about logging selected cipher suites. Or at least, I wanted to get some stats on whats actually in use, as there are some really lame sites out there.
But I've wanted to raise the question (and haven't gotten around to it), but can we do logging in the error handlers? And if so, what error codes do we want for error handler criteria to pick up SSL handshake errors?
Unfortunately, this is not the case. If we have a handshake error, it appears in the logfile with an RC 500. And in the rule trace, the trace ends with the end cycle in the POlicy. (at least this is in version 7.6.2).
It would help me if we could react to such a mistake in the policy. (I know in version 7.7 a lot more is possible)
If you're specifically referring to the errors which look like this:
error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:SSL error at server handshake:state 25:Application response 500 handshakefailed
I pull these into a separate log file by using the criteria Message.TemplateName equals "handshakefailed" and then logging the value for Protocol.FailureDescription.