CSAM: SSL Request Logs
Today you may have noticed that the ISC website was down for a few minutes. This was the result of tuning our SSL configuration a bit. Configuring SSL is a bit of a balancing act. First of all, you want to configure SSL as secure as possible, which means limiting yourself to the hardest and most modern ciphers, secondly, you want to make sure that all of your users are still able to connect and that you are not loosing any old browsers that you still need to support. There are hundreds if not thousands of possible combinations (Operating system, browser, ssl library version), which does make it hard to predict what is going to happen.
Luckily, web servers like Apache have a feature to log what cipher is negotiated for a given connection.
In order to enable this feature, you use the "CustomLog" configuration directive. I am using:
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{User-Agent}i
This will log the access time (%t), the client IP address (%h), the SSL protocol ( %{SSL_PROCOL}x ) the SSL cipher ( %{SSL_CIPHER}x ) and the user agent. You could just add this to your normal access log as well, but I prefer to keep it in a separate log.
Here are a couple of lines from the log:
[09/Oct/2013:17:46:21 +0000] x.x.x.x TLSv1 AES-256 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)
[09/Oct/2013:17:46:21 +0000] y.y.y.y TLSv1 AES-256 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
09/Oct/2013:17:54:28 +0000] z.z.z.z TLSv1 RC4 Motorola
And you will see failed connection that did not manage to negotiate a connection:
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments