See Ticket #47945: Add SSL/TLS version info to the access log
Sample access log:
SSL .. conn=3 fd=64 slot=64 SSL connection from ::1 to ::1 .. conn=3 TLS1.2 128-bit AES-GCM startTLS .. conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" .. conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0 .. conn=4 TLS1.2 128-bit AES-GCM
New connection output section:
{{{ Total Connections: 283 - LDAP Connections: 275 - LDAPI Connections: 0 - LDAPS Connections: 8 - StartTLS Extended Ops: 9 Secure Protocol Versions: - TLS1.2 128-bit AES - 7 - TLS1.1 128-bit AES - 1 - SSL3 128-bit AES - 2
}}}
Very nice!!
Looks like this will fix a divide by zero problem we've seen in the past? Not sure if there is a ticket/bz open for that.
What happens if you run this against an older access log that doesn't have the SSL/TLS version information?
Replying to [comment:4 rmeggins]:
It is a division by zero, but it manifests itself differently than the previous division issue. In this case my access log only had one operation in it(all from the same second). So there was no elapsed time(0) which led to the division by zero. Definitely a corner case. However, I'm not finding another ticket/bug regarding the division by zero, but I recall working on it.
It displays it like this(regardless if TLS or SSL3 is used):
{{{ - SSL128-bit AES - 4 }}}
A bit sloppy, so I'll revise it...
revision 0001-Ticket-47949-logconv.pl-support-parsing-showing-repo.patch
Here is the new output showing the detailed SSL version, and the legacy access log withthe plain SSL version info:
{{{ Total Connections: 293 - LDAP Connections: 281 - LDAPI Connections: 0 - LDAPS Connections: 12 - StartTLS Extended Ops: 10 Secure Protocol Versions: - TLS1.2 128-bit AES - 7 - TLS1.1 128-bit AES - 1 - SSL3 128-bit AES - 2 - SSL 128-bit AES - 4 --> legacy access log
New patch attached...
This ticket needs to stay in sync with https://fedorahosted.org/389/ticket/47945
Currently only applying to 1.3.3 and up.
42f935a..7aeeb7c master -> master commit 7aeeb7c Author: Mark Reynolds mreynolds@redhat.com Date: Fri Dec 5 15:42:45 2014 -0500
d06b397..8b7ae6d 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 8b7ae6d
Thanks for waiting, Mark. Please go ahead and close this ticket with "fixed".
df7bafa..a31bd5c 389-ds-base-1.3.2 -> 389-ds-base-1.3.2 commit a31bd5c
c7c0e75..d1b5c7a 389-ds-base-1.3.1 -> 389-ds-base-1.3.1 commit d1b5c7a63d12d1700db83ca5db95d2d2e6da87cd
c1ba7eb..099d1ce 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit 099d1ce
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1193241
Metadata Update from @nhosoi: - Issue assigned to mreynolds - Issue set to the milestone: 1.2.11.33
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1280
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Log in to comment on this ticket.