0006113: Access-logging of TLS protocol version and used Cipher-Suite

Viewing Issue Simple Details [ Jump to Notes ]

[ View Advanced ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0006113

[Resin]

feature

always

11-22-17 12:15

02-07-18 15:23

Reporter

stbu

View Status

public

Assigned To

ferg

Priority

normal

Resolution

fixed

Status

closed

Product Version

4.0.54

Summary

0006113: Access-logging of TLS protocol version and used Cipher-Suite

Description

Dear Caucho Team,

given that Support for TLS 1.0 should be removed latest by End of June 2018 [1] (also from Webservers) I would really like to be able to track usage and progress on this based on HTTP connections made to our Resin Server. This would allow to decide whether or not it's safe to disable that outdated protocol.

Would it be possible to add the following TLS Session Information as variables to the Resin access-logging variables [2]?
- TLS protocol version (e.g. TLSv1.0, TLSv1.1, TLSv1.2)
- Used Cipher-Suite (such as TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
based on a SSLSession from both possible SSL configuration options (<jsse-ssl> and <openssl>)?

Other webservers such as NGINX offer these (and more) variables for logging:
See also:
https://serverfault.com/questions/620123/how-can-i-let-nginx-log-the-used-ssl-tls-protocol-and-ciphersuite [^]
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables [^]

References:
[1] See also: https://www.pcicomplianceguide.org/ssl-and-early-tls-new-migration-dates-announced/ [^]
[2] http://www.caucho.com/resin-4.0/admin/logging.xtp#access-log [^]

-- Steffen

Additional Information

Relationships

Notes
(0006820) ferg 02-07-18 15:23	network/0533 Added %{ssl_protocol}V and %{ssl_cipher_suite}V