Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

  1. Kemp Support
  2. Knowledge Base
  3. Security

How to see TLS connections on log files

Updated

Information

 

Summary:

Evaluate TLS connections via log.  
Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: Any
Question/Problem Description:

Log the TLS connections from the loadmaster to check the TLS version used by clients.
Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:

 
Resolution:

Enable "Add Received Cipher Name" and enable the IIS logs or Apache logs to record the header with the TLS information in it. 
Virtual Services -> View/Modify Services -> Select VS - Modify -> SSL Options -> Add Received Cipher Name

mceclip0.png

Note: This will only work when SSL is enabled on KEMP.

The server would have to be configured to record the extra headers and then you would see them in the normal web server logs.
For example, see the following guides on how to enable X-Forwarded-For logging and just do the same but for the X-SSL-Protocol and X-SSL-Cipher headers that you want to record.

mceclip1.png

 

Add Received Cipher Name
In LoadMaster version 7.2.52 and above, a new check box called Add Received Cipher Name was added. This option is disabled by default. when this option is enabled, the LoadMaster adds X-SSL headers containing client SSL information such as TLS version, TLS cipher, client certificate serial number, and SNI host as described in the below table.

Header Description Example Value Content Rule Variable
X-SSL-Cipher The cipher used. X-SSL-Cipher: ECDHE-RSA-AES256-GCM-SHA384 ssl-cipher
X-SSL-Protocol The SSL protocol version used. X-SSL-Protocol: TLSv1.2 ssl-version
X-SSL-Serialid The Virtual Service certificate serial number. X-SSL-Serialid: 4900000006A2ABDC165ACEAD55000000000006 ssl-clientserialid
X-SSL-ClientSerialid The client certificate serial number. X-SSL-ClientSerialid: 490000005D6898F3C7E590536100010000005D ssl-serialid
X-SSL-SNIHost The value of the received SNI name. X-SSL-SNIHost: sni.test.com ssl-sni


 
The server would have to be configured to record the extra headers and then you would see them in the normal web server logs.
For example, see the following guides on how to enable X-Forwarded-For logging and just do the same for the X-SSL-Protocol and X-SSL-Cipher headers that you want to record.

 

Capture1.PNG

 
Workaround:  
Notes:

How to Add an X-Forwarded-For Header and Configure IIS Logging 

Apache x-forward-for

 

Was this article helpful?
0 out of 0 found this helpful

Comments

In this document