Bryan K. Walton wrote: > Is it possible to log the negotiated ciphers used between a client and > our 389ds server? I've played around with different logging levels and > none seem to show the agreed upon set of ciphers used for each > connection. The reason we would like to log this, if possible, is > because we would like to prevent the use of some ciphers, but would like > to know which clients might be using those ciphers. > > Our 389ds version is 1.2.2.
389-ds is unaware of that negotiation so wouldn't be able to log it. It only gets the negotiated cipher and does log that. If you want to prevent the user of some ciphers then why not disable them in configuration? It won't solve the goal of "what clients are using disallowed ciphers" but it will protect your server. And I suppose the clients may end up screaming about being unable to connect so perhaps they will out themselves. That said, a line analyzer would be able to do this, you'd just have to sift through all the connection logs. I don't know what sort of performance impact this would have, how huge the logs would be or how difficult it would be to find what you want in it. There are also SSL proxies that can decode parts of the handshake which can display the cipher list, like ssltap, but it would require you to change the listening port of 389-ds so that the proxy can own 389/636. rob _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
