Bug 1193241

Summary: logconv.pl -- support parsing/showing/reporting different protocol versions
Product: Red Hat Enterprise Linux 6 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: nkinder, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.11.15-51.el6 Doc Type: Bug Fix
Doc Text:
logconv.pl utility supports the new SSL/TLS format in the access log.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 06:36:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Noriko Hosoi 2015-02-16 23:35:42 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47949

See Ticket #47945: Add SSL/TLS version info to the access log

Sample access log:

    SSL
    .. conn=3 fd=64 slot=64 SSL connection from ::1 to ::1
    .. conn=3 TLS1.2 128-bit AES-GCM

    startTLS
    .. conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
    .. conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0
    .. conn=4 TLS1.2 128-bit AES-GCM
Comment 2 Noriko Hosoi 2015-02-20 02:20:29 UTC 
Steps to verify:

Run logconv.pl against the access log from the server with SSL/TLS enabled.

Get an access log from the rhel-6.7 389-ds-base (389-ds-base-1.2.11.15-51.el6) as well as the rhel-6.6.z one (it logs the line commented with "legacy access log").

Total Connections:            293
 - LDAP Connections:          281
 - LDAPI Connections:         0
 - LDAPS Connections:         12
 - StartTLS Extended Ops:     10
 Secure Protocol Versions:
  - TLS1.2 128-bit AES - 7
  - TLS1.1 128-bit AES - 1
  - SSL3 128-bit AES - 2
  - SSL 128-bit AES - 4    --> legacy access log
Comment 3 Viktor Ashirov 2015-04-11 23:35:00 UTC 
I ran sslscan against ns-slapd on a secure port. Then converted access logs using logconv.pl from 389-ds-base-1.2.11.15-53.

Log from RHEL66 (389-ds-base-1.2.11.15-46.el6.x86_64):

Total Connections:            3372
 - LDAP Connections:          5
 - LDAPI Connections:         0
 - LDAPS Connections:         3367
 - StartTLS Extended Ops:     0
 Secure Protocol Versions:
  - SSL 56-bit DES - 9
  - SSL 40-bit RC4 - 9
  - SSL 40-bit RC2 - 9
  - SSL 256-bit AES - 9
  - SSL 128-bit RC4 - 18
  - SSL 128-bit AES - 25
  - SSL 112-bit 3DES - 9

Log from RHEL67 (389-ds-base-1.2.11.15-53.el6.x86_64)
Total Connections:            4815
 - LDAP Connections:          4
 - LDAPI Connections:         0
 - LDAPS Connections:         4811
 - StartTLS Extended Ops:     0
 Secure Protocol Versions:
  - TLS1.2 56-bit DES - 10
  - TLS1.2 256-bit AES - 21
  - TLS1.2 128-bit RC4 - 20
  - TLS1.2 128-bit AES-GCM - 30
  - TLS1.2 128-bit AES - 20
  - TLS1.2 112-bit 3DES - 10
  - TLS1.1 56-bit DES - 10
  - TLS1.1 256-bit AES - 18
  - TLS1.1 128-bit RC4 - 20
  - TLS1.1 128-bit AES - 12
  - TLS1.1 112-bit 3DES - 10
  - TLS1.0 56-bit DES - 10
  - TLS1.0 40-bit RC4 - 10
  - TLS1.0 40-bit RC2 - 10
  - TLS1.0 256-bit AES - 18
  - TLS1.0 128-bit RC4 - 20
  - TLS1.0 128-bit AES - 12
  - TLS1.0 112-bit 3DES - 10
  - SSL3 56-bit DES - 9
  - SSL3 40-bit RC4 - 9
  - SSL3 40-bit RC2 - 9
  - SSL3 256-bit AES - 17
  - SSL3 128-bit RC4 - 18
  - SSL3 128-bit AES - 10
  - SSL3 112-bit 3DES - 9

Marking as VERIFIED
Comment 4 errata-xmlrpc 2015-07-22 06:36:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1326.html