Is it possible to log the TLS protocol version that the client wants to use without intercepting SSL?

book

Article ID: 171606

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You would like to identify which users are still using weaker SSL/TLS protocol versions

You are not intercepting SSL

Resolution

It is possible to log protocol version and other TLS/SSL attributes without intercepting SSL, however you must enable protocol detection otherwise the data will not show up in the access log.

Assuming you will be creating a separate log for this, the steps are as follows

1. Create a new log format

from the GUI - > Configuration -> Access Logging -> Formats -> New

give the format a name, make sure W3C extended Log File Format is selected then copy the the following fields


date time time-taken c-ip s-action cs-categories x-rs-certificate-validate-status x-rs-certificate-observed-errors cs-uri-scheme s-ip cs-host x-rs-connection-negotiated-ssl-version
x-rs-connection-negotiated-cipher x-rs-connection-negotiated-cipher-size x-rs-certificate-hostname x-rs-certificate-hostname-category
x-cs-connection-negotiated-ssl-version x-cs-connection-negotiated-cipher x-cs-connection-negotiated-cipher-size

test the format to make sure no errors exist

2. Associate the new format with a log

Again from the GUI - > Configuration -> Access Logging -> Logs -> New

give the log a name, from the dropdown list select the "Format" you just created and click OK

3. Finally you need to create policy to write to the new log, this can be done either from the VPM or in CPL, the following is an example of CPL

<Proxy>   

access_log[NameOfTheLog](yes)  

 

The following is an example of the output produced, note you in this example we see both the client and server side data

2018-04-27 11:22:19 66891 192.168.1.7 TUNNELED "Search Engines/Portals" CERT_VALID none ssl 192.168.1.3 ssl.gstatic.com TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 128 - "Search Engines/Portals" TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 128
2018-04-27 11:22:19 66888 192.168.1.7 TUNNELED "Search Engines/Portals" CERT_VALID none ssl 192.168.1.3 www.gstatic.com TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 128 - "Search Engines/Portals" TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 128
2018-04-27 11:22:19 66894 192.168.1.7 TUNNELED "Non-Viewable/Infrastructure" CERT_VALID none ssl 192.168.1.3 apis.google.com TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 128 - "Non-Viewable/Infrastructure" TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 128