<-- back to the mailing list

An observation about client certificates

Sean Conner sean at conman.org

Tue May 12 03:58:34 BST 2020

- - - - - - - - - - - - - - - - - - - ```

It was thus said that the Great Dave Huseby once stated:
> On Mon, May 11, 2020, at 2:21 AM, Sean Conner wrote:
> 
> 
> We should talk about logging formats some time.  Molly Brown keeps logs
> 
> 
> too (I keep meaning to make a nice graph showing the wave of traffice
> 
> 
> that came in after we hit HN), in an ad-hoc format that doesn't match
> 
> 
> yours below at all (unsurprisingly).  Having a standard format would
> 
> 
> facilitate tools to monitor/visualise logs.
> 
> 
> 
>   I log via syslog(), which handles the timestamps for me (and log rotation,
> 
> and a whole bunch of other stuff related to logging).  I place the name of
> 
> the fields to make later processing a bit easier, but as far as I can tell,
> 
> the only thing I log that you don't is the issuer and subject from any
> 
> certificates presented, and that was to satisfy my own curiousity (and to
> 
> potentially troubleshoot any issues).
> 
> I think by default, any logging we do should be at a bare minimum and not
> contain the IP address of the client or any other data that would link the
> log line to them. I added logging to my hacked up version of Pollux but it
> only logs which page was loaded and when. My purpose was to track basic
> traffic and any errors that occur and nothing else.

  One misbehaving client on an IP address can present a headache by repeatedmaking requests and (especially if it's behind a larger pipe than yours)sawmp the server.  By recording the IP address, it can be identified andblocked.

  Or a mishevaving client always makes the same request to a non-existantresource.  I had this happen on my gopher server---some web bot kept tryingto fetch the main index.html page.  Very annoying.  Again, easy to block ifyou have the IP.

  -spc (Oooh, that reminds me, I have a bug to patch in GLV-1.12556 ... )