Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/47949 See Ticket #47945: Add SSL/TLS version info to the access log Sample access log: SSL .. conn=3 fd=64 slot=64 SSL connection from ::1 to ::1 .. conn=3 TLS1.2 128-bit AES-GCM startTLS .. conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" .. conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0 .. conn=4 TLS1.2 128-bit AES-GCM
Steps to verify: Run logconv.pl against the access log from the server with SSL/TLS enabled. Get an access log from the rhel-6.7 389-ds-base (389-ds-base-1.2.11.15-51.el6) as well as the rhel-6.6.z one (it logs the line commented with "legacy access log"). Total Connections: 293 - LDAP Connections: 281 - LDAPI Connections: 0 - LDAPS Connections: 12 - StartTLS Extended Ops: 10 Secure Protocol Versions: - TLS1.2 128-bit AES - 7 - TLS1.1 128-bit AES - 1 - SSL3 128-bit AES - 2 - SSL 128-bit AES - 4 --> legacy access log
I ran sslscan against ns-slapd on a secure port. Then converted access logs using logconv.pl from 389-ds-base-1.2.11.15-53. Log from RHEL66 (389-ds-base-1.2.11.15-46.el6.x86_64): Total Connections: 3372 - LDAP Connections: 5 - LDAPI Connections: 0 - LDAPS Connections: 3367 - StartTLS Extended Ops: 0 Secure Protocol Versions: - SSL 56-bit DES - 9 - SSL 40-bit RC4 - 9 - SSL 40-bit RC2 - 9 - SSL 256-bit AES - 9 - SSL 128-bit RC4 - 18 - SSL 128-bit AES - 25 - SSL 112-bit 3DES - 9 Log from RHEL67 (389-ds-base-1.2.11.15-53.el6.x86_64) Total Connections: 4815 - LDAP Connections: 4 - LDAPI Connections: 0 - LDAPS Connections: 4811 - StartTLS Extended Ops: 0 Secure Protocol Versions: - TLS1.2 56-bit DES - 10 - TLS1.2 256-bit AES - 21 - TLS1.2 128-bit RC4 - 20 - TLS1.2 128-bit AES-GCM - 30 - TLS1.2 128-bit AES - 20 - TLS1.2 112-bit 3DES - 10 - TLS1.1 56-bit DES - 10 - TLS1.1 256-bit AES - 18 - TLS1.1 128-bit RC4 - 20 - TLS1.1 128-bit AES - 12 - TLS1.1 112-bit 3DES - 10 - TLS1.0 56-bit DES - 10 - TLS1.0 40-bit RC4 - 10 - TLS1.0 40-bit RC2 - 10 - TLS1.0 256-bit AES - 18 - TLS1.0 128-bit RC4 - 20 - TLS1.0 128-bit AES - 12 - TLS1.0 112-bit 3DES - 10 - SSL3 56-bit DES - 9 - SSL3 40-bit RC4 - 9 - SSL3 40-bit RC2 - 9 - SSL3 256-bit AES - 17 - SSL3 128-bit RC4 - 18 - SSL3 128-bit AES - 10 - SSL3 112-bit 3DES - 9 Marking as VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1326.html