3 Replies Latest reply on Nov 27, 2017 3:46 PM by btlyric

    Log SSL handshake failures...

    feickholt

      I am looking for a way to log SSL handshake error clearly. For example, https://js.passport.qihucdn.com/ is not supported by us. However, the error page is not accessed via the policy. The last step in Rule trace is End Cycle.

      The log file contains the request with RC 500. I would like to collect such requests in my own logfile.

      Frank

        • 1. Re: Log SSL handshake failures...
          johnaldridge

          I'm pretty sure anything that gets picked up by an error handler will show in a rule trace as having reached the end of the rule set for the cycle in which it fails.  At least, all of the many hundreds of SSL handshake errors I've investigated were this way.

           

          I think there have been discussions about logging selected cipher suites.  Or at least, I wanted to get some stats on whats actually in use, as there are some really lame sites out there.

           

          But I've wanted to raise the question (and haven't gotten around to it), but can we do logging in the error handlers?  And if so, what error codes do we want for error handler criteria to pick up SSL handshake errors?

          • 2. Re: Log SSL handshake failures...
            feickholt

            Unfortunately, this is not the case. If we have a handshake error, it appears in the logfile with an RC 500. And in the rule trace, the trace ends with the end cycle in the POlicy. (at least this is in version 7.6.2).

            It would help me if we could react to such a mistake in the policy. (I know in version 7.7 a lot more is possible)

            • 3. Re: Log SSL handshake failures...
              btlyric

              If you're specifically referring to the errors which look like this:

               

              error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:SSL error at server handshake:state 25:Application response 500 handshakefailed

               

              I pull these into a separate log file by using the criteria Message.TemplateName equals "handshakefailed" and then logging the value for Protocol.FailureDescription.