From c4a48828d34fde66da7612854ec7c77559a4b591 Mon Sep 17 00:00:00 2001
From: Peter Bieringer <pb@bieringer.de>
Date: Sat, 8 Mar 2025 16:48:59 +0100
Subject: [PATCH 1/4] extend copyright

---
 radicale/server.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/radicale/server.py b/radicale/server.py
index fa43a711..7f4f3386 100644
--- a/radicale/server.py
+++ b/radicale/server.py
@@ -3,7 +3,7 @@
 # Copyright © 2008 Pascal Halter
 # Copyright © 2008-2017 Guillaume Ayoub
 # Copyright © 2017-2023 Unrud <unrud@outlook.com>
-# Copyright © 2024-2024 Peter Bieringer <pb@bieringer.de>
+# Copyright © 2024-2025 Peter Bieringer <pb@bieringer.de>
 #
 # This library is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

From 9372344bb1ea98ebd877b2ba049e148e876724ab Mon Sep 17 00:00:00 2001
From: Peter Bieringer <pb@bieringer.de>
Date: Sat, 8 Mar 2025 16:49:28 +0100
Subject: [PATCH 2/4] extend header information with HTTPS info

---
 radicale/server.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/radicale/server.py b/radicale/server.py
index 7f4f3386..ed6d73a3 100644
--- a/radicale/server.py
+++ b/radicale/server.py
@@ -262,6 +262,9 @@ class RequestHandler(wsgiref.simple_server.WSGIRequestHandler):
     def get_environ(self) -> Dict[str, Any]:
         env = super().get_environ()
         if isinstance(self.connection, ssl.SSLSocket):
+            env["HTTPS"] = "on"
+            env["SSL_CIPHER"] = self.request.cipher()[0]
+            env["SSL_PROTOCOL"] = self.request.version()
             # The certificate can be evaluated by the auth module
             env["REMOTE_CERTIFICATE"] = self.connection.getpeercert()
         # Parent class only tries latin1 encoding

From 914320826f8e6cdb4f7f783047361dd02d36f2c2 Mon Sep 17 00:00:00 2001
From: Peter Bieringer <pb@bieringer.de>
Date: Sat, 8 Mar 2025 16:50:35 +0100
Subject: [PATCH 3/4] extend request log with HTTPS info

---
 radicale/app/__init__.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/radicale/app/__init__.py b/radicale/app/__init__.py
index 4e8e688b..f5cfc1aa 100644
--- a/radicale/app/__init__.py
+++ b/radicale/app/__init__.py
@@ -150,6 +150,7 @@ class Application(ApplicationPartDelete, ApplicationPartHead,
         time_begin = datetime.datetime.now()
         request_method = environ["REQUEST_METHOD"].upper()
         unsafe_path = environ.get("PATH_INFO", "")
+        https = environ.get("HTTPS", "")
 
         """Manage a request."""
         def response(status: int, headers: types.WSGIResponseHeaders,
@@ -210,9 +211,13 @@ class Application(ApplicationPartDelete, ApplicationPartHead,
         depthinfo = ""
         if environ.get("HTTP_DEPTH"):
             depthinfo = " with depth %r" % environ["HTTP_DEPTH"]
-        logger.info("%s request for %r%s received from %s%s",
+        if https:
+            https_info = " " + environ.get("SSL_PROTOCOL", "") + " " + environ.get("SSL_CIPHER", "")
+        else:
+            https_info = ""
+        logger.info("%s request for %r%s received from %s%s%s",
                     request_method, unsafe_path, depthinfo,
-                    remote_host, remote_useragent)
+                    remote_host, remote_useragent, https_info)
         if self._request_header_on_debug:
             logger.debug("Request header:\n%s",
                          pprint.pformat(self._scrub_headers(environ)))

From 36aba7a8b91ad209ffacc59088b20adcae6538ab Mon Sep 17 00:00:00 2001
From: Peter Bieringer <pb@bieringer.de>
Date: Sat, 8 Mar 2025 17:00:01 +0100
Subject: [PATCH 4/4] update related to SSL logging

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fb6eb9a9..a3a99fc1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@
 * Review: Apache reverse proxy config example
 * Add: on-the-fly link activation and default content adjustment in case of bundled InfCloud (tested with 0.13.1)
 * Adjust: [auth] imap: use AUTHENTICATE PLAIN instead of LOGIN towards remote IMAP server
+* Improve: log client IP on SSL error and SSL protocol+cipher if successful
 
 ## 3.4.1
 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port