Re: Logging Negotiated Ciphers?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bryan K. Walton wrote:
> Is it possible to log the negotiated ciphers used between a client and
> our 389ds server?  I've played around with different logging levels and
> none seem to show the agreed upon set of ciphers used for each
> connection.  The reason we would like to log this, if possible, is
> because we would like to prevent the use of some ciphers, but would like
> to know which clients might be using those ciphers.
> 
> Our 389ds version is 1.2.2.

389-ds is unaware of that negotiation so wouldn't be able to log it. It
only gets the negotiated cipher and does log that.

If you want to prevent the user of some ciphers then why not disable
them in configuration? It won't solve the goal of "what clients are
using disallowed ciphers" but it will protect your server. And I suppose
the clients may end up screaming about being unable to connect so
perhaps they will out themselves.

That said, a line analyzer would be able to do this, you'd just have to
sift through all the connection logs. I don't know what sort of
performance impact this would have, how huge the logs would be or how
difficult it would be to find what you want in it.

There are also SSL proxies that can decode parts of the handshake which
can display the cipher list, like ssltap, but it would require you to
change the listening port of 389-ds so that the proxy can own 389/636.

rob
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux