Bug 1193241 - logconv.pl -- support parsing/showing/reporting different protocol versions
Summary: logconv.pl -- support parsing/showing/reporting different protocol versions
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-16 23:35 UTC by Noriko Hosoi
Modified: 2015-07-22 06:36 UTC (History)
2 users (show)

(edit)
logconv.pl utility supports the new SSL/TLS format in the access log.
Clone Of:
(edit)
Last Closed: 2015-07-22 06:36:58 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1326 normal SHIPPED_LIVE 389-ds-base bug fix and enhancement update 2015-07-20 17:53:07 UTC

Description Noriko Hosoi 2015-02-16 23:35:42 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47949

See Ticket #47945: Add SSL/TLS version info to the access log

Sample access log:

    SSL
    .. conn=3 fd=64 slot=64 SSL connection from ::1 to ::1
    .. conn=3 TLS1.2 128-bit AES-GCM

    startTLS
    .. conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
    .. conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0
    .. conn=4 TLS1.2 128-bit AES-GCM

Comment 2 Noriko Hosoi 2015-02-20 02:20:29 UTC
Steps to verify:

Run logconv.pl against the access log from the server with SSL/TLS enabled.

Get an access log from the rhel-6.7 389-ds-base (389-ds-base-1.2.11.15-51.el6) as well as the rhel-6.6.z one (it logs the line commented with "legacy access log").

Total Connections:            293
 - LDAP Connections:          281
 - LDAPI Connections:         0
 - LDAPS Connections:         12
 - StartTLS Extended Ops:     10
 Secure Protocol Versions:
  - TLS1.2 128-bit AES - 7
  - TLS1.1 128-bit AES - 1
  - SSL3 128-bit AES - 2
  - SSL 128-bit AES - 4    --> legacy access log

Comment 3 Viktor Ashirov 2015-04-11 23:35:00 UTC
I ran sslscan against ns-slapd on a secure port. Then converted access logs using logconv.pl from 389-ds-base-1.2.11.15-53.

Log from RHEL66 (389-ds-base-1.2.11.15-46.el6.x86_64):

Total Connections:            3372
 - LDAP Connections:          5
 - LDAPI Connections:         0
 - LDAPS Connections:         3367
 - StartTLS Extended Ops:     0
 Secure Protocol Versions:
  - SSL 56-bit DES - 9
  - SSL 40-bit RC4 - 9
  - SSL 40-bit RC2 - 9
  - SSL 256-bit AES - 9
  - SSL 128-bit RC4 - 18
  - SSL 128-bit AES - 25
  - SSL 112-bit 3DES - 9

Log from RHEL67 (389-ds-base-1.2.11.15-53.el6.x86_64)
Total Connections:            4815
 - LDAP Connections:          4
 - LDAPI Connections:         0
 - LDAPS Connections:         4811
 - StartTLS Extended Ops:     0
 Secure Protocol Versions:
  - TLS1.2 56-bit DES - 10
  - TLS1.2 256-bit AES - 21
  - TLS1.2 128-bit RC4 - 20
  - TLS1.2 128-bit AES-GCM - 30
  - TLS1.2 128-bit AES - 20
  - TLS1.2 112-bit 3DES - 10
  - TLS1.1 56-bit DES - 10
  - TLS1.1 256-bit AES - 18
  - TLS1.1 128-bit RC4 - 20
  - TLS1.1 128-bit AES - 12
  - TLS1.1 112-bit 3DES - 10
  - TLS1.0 56-bit DES - 10
  - TLS1.0 40-bit RC4 - 10
  - TLS1.0 40-bit RC2 - 10
  - TLS1.0 256-bit AES - 18
  - TLS1.0 128-bit RC4 - 20
  - TLS1.0 128-bit AES - 12
  - TLS1.0 112-bit 3DES - 10
  - SSL3 56-bit DES - 9
  - SSL3 40-bit RC4 - 9
  - SSL3 40-bit RC2 - 9
  - SSL3 256-bit AES - 17
  - SSL3 128-bit RC4 - 18
  - SSL3 128-bit AES - 10
  - SSL3 112-bit 3DES - 9

Marking as VERIFIED

Comment 4 errata-xmlrpc 2015-07-22 06:36:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1326.html


Note You need to log in before you can comment on or make changes to this bug.