httpd not logging tls handshake failed if 'tls client ca <file>' used

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

httpd not logging tls handshake failed if 'tls client ca <file>' used

Jiri B-3
Hi,

I was playing with CloudFlare Authenticated Origin Pulls, ie. httpd
configured with
'client ca "/etc/ssl/cloudflare_origin_pull.crt"' (ie. to allow only
tls request from specific tls client) and I see httpd is not logging
anything by default into either access.log or error.log. (But the
feature itself works ok.)

But it's logging if run in debug mode 'httpd -d -vvvv':

---%>---
server_tls_handshake: tls handshake failed - handshake failed:
error:140360C7:SSL routines:ACCEPT_SR_CERT:peer did not return a
certificate
server tls_default, client 1 (1 active), 199.195.251.62:18922 ->
176.74.139.218:443, tls handshake failed
---%<---

Is this expected behavior?

# sysctl kern.version
kern.version=OpenBSD 6.5-current (GENERIC) #176: Thu Aug  8 21:28:09 MDT 2019
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC