Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Forwarding Client Cipher and Protocol in a header to real servers

 

Information

 

Summary:

How to Forward the Client side Cipher and protocol as a header to the real server for logging in Internet Information Services (IIS).

Environment:

Product: LoadMaster

Version:7.2.57

Platform: 

Application:

Question/Problem Description:

Is it possible to forward the Client Side Cipher and Protocol used within a header to the backend real server for login purposes.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause: There is a desire to have more visibility/logging on the IIS real server in relation to the SSL connection that is made by the client.
Resolution:

The X-Forwarded-For (XFF) HTTP header field is a standard method for identifying the originating IP address of a client connecting to a server through the Kemp LoadMaster or any proxy.

Since version 7.2.52 the LoadMaster can also add the following header:

  • X-SSL-Cipher
  • X-SSL-Protocol
  • X-SSL-Serialid 
  • X-SSL-ClientSerialid
  • X-SSL-SNIHost

 

A new check box, Add Received Cipher Name, has been added to the SSL Properties section for HTTP/HTTPS Virtual Services. When this option is enabled, the LoadMaster adds the HTTP headers described in the table below to client requests with the indicated values.

The information added to the HTTP headers can also be used by destination real servers to, for example, maintain cipher sets over time, retiring old cipher sets that are no longer being used.

 

Header Description Example Value
X-SSL-Cipher The cipher used. ECDHE-RSA-AES256-GCM-SHA384
X-SSL-Protocol The SSL protocol version used. TLSv1.2
X-SSL-Serialid The VS certificate serial number. 4900000006A2ABDC165ACEAD55000000000006
X-SSL-ClientSerialid The client certificate serial number. 490000005D6898F3C7E590536100010000005D
X-SSL-SNIHost The value of the received SNI name. sni.test.com

 

Note: The addition of the X-Forwarded-For header is only available for HTTP and HTTPS traffic with SSL Offloading.

 

To do this, enable the check box under the SSL properties on an SSL offloaded/re-encrypted virtual service.

 

Next, enable the logging on the IIS server for these new extra headers.

In IIS 8.5 and later, custom logging fields can be added to record X-SSL-Cipher and X-SSL-Protocol headers to record a client's source IP address when transparency is not being used.

 

Navigate to the site which will use X-SSL-Cipher and X-SSL-Protocol logging and click Logging and Open Feature.

IIS_settings.png

 

Click the Select Fields option

select_Fileds.png

 

Click the Add Field option to add the Cipher header.

Configure the fields as indicated below:

 

Field Name: X-SSL-Cipher

Source type: Request Header

Source name: X-SSL-Cipher (syntax important)

 

Click OK twice.

X-SSL-Cipher.png

 

Click the Add Field option again for the Protocol header.

Configure the fields as indicated below:

 

Field Name: X-SSL-Protocol

Source type: Request Header

Source name: X-SSL-Protocol (syntax important)

 

Click OK twice.

X-SSL-Protocol.png

 

Click Apply in the top-right of the logging options page.

apply_settings.png

 

Now, generate some log traffic by navigating to the Virtual Service and hitting refresh a few times.

Go to the location of the advanced logfiles and open the newly created logfiles.

The default location is C:\inetpub\logs\LogFiles\W3SVC1.

The log should now include the X-SSL-Cipher and X-SSL-Protocol of the client requests.

Workaround:  
Notes:

Reference to the X-Forwarded-For logging:

https://support.kemptechnologies.com/hc/en-us/articles/360002861712-Adding-The-X-Forwarded-For-Header-and-Configuring-IIS-Logging


Comments