RE: SSL Cipher stats

2016-03-25 Thread Stefan Johansson 
Thanks for your suggestion, sorry for the late reply.

I gave it some thought and we decided to simply just shut SSLv3 and RC4 off 
completely right away.
We were going to use the stats to check how much traffic would be lost, but we 
managed to get browser statistics elsewhere, which pointed to less than 1% 
(Windows XP etc).

So basically there's no reason to run those any longer.

Cheers.


-Original Message-
From: Chad Lavoie [mailto:clav...@haproxy.com] 
Sent: Tuesday, March 8, 2016 9:45 PM
To: haproxy@formilux.org
Cc: Jeff Palmer <j...@palmerit.net>; Stefan Johansson 
<stefan.johans...@adtoma.com>
Subject: Re: SSL Cipher stats

Greetings,

On 03/08/2016 11:20 AM, Jeff Palmer wrote:
> I too would be interested in this.
>
> extra points if the info could be gathered for individual backends or 
> frontends.
I didn't explicitly mention it, but my example config tracks by frontend id in 
the stick table (id was 7 in my example).  If in "tcp-request content track-sc0 
fe_id() table sslv3-count if { ssl_fc }" fe_id is changed with be_id then it 
will track based on the backend instead.

To translate the id's to names looking at the iid field of "show stat" 
(to the socket as the show table is done to get the stats) will identify the 
one in question.

Also, I neglected to mention if you have nbproc >1 it won't add up the values, 
so if its important to have all of the requests processed adding them up via a 
shell script should be able to do that.

- Chad
>
>
>
> On Tue, Mar 8, 2016 at 11:18 AM, Stefan Johansson 
> <stefan.johans...@adtoma.com> wrote:
>> Hi,
>>
>>
>>
>> is it possible somehow to extract statistics on cipher used (total 
>> SSLv3, total RC4 etc.) without necessarily turning on connection 
>> logging and extract the data from there?
>>
>>
>>
>> Thank you.
>>
>>
>>
>> Regards,
>>
>> Stefan
>
>

Re: SSL Cipher stats

2016-03-08 Thread Chad Lavoie 

Greetings,

On 03/08/2016 11:20 AM, Jeff Palmer wrote:

I too would be interested in this.

extra points if the info could be gathered for individual backends or frontends.
I didn't explicitly mention it, but my example config tracks by frontend 
id in the stick table (id was 7 in my example).  If in "tcp-request 
content track-sc0 fe_id() table sslv3-count if { ssl_fc }" fe_id is 
changed with be_id then it will track based on the backend instead.


To translate the id's to names looking at the iid field of "show stat" 
(to the socket as the show table is done to get the stats) will identify 
the one in question.


Also, I neglected to mention if you have nbproc >1 it won't add up the 
values, so if its important to have all of the requests processed adding 
them up via a shell script should be able to do that.


- Chad




On Tue, Mar 8, 2016 at 11:18 AM, Stefan Johansson
 wrote:

Hi,



is it possible somehow to extract statistics on cipher used (total SSLv3,
total RC4 etc.) without necessarily turning on connection logging and
extract the data from there?



Thank you.



Regards,

Stefan

Re: SSL Cipher stats

2016-03-08 Thread Chad Lavoie 

Greetings,

To do it without logging the only other ways I can think of to get it 
out of HAProxy will ether be headers to the backends for logging there, 
or doing it via stick tables (or sending the stick table stats via a 
header to the backend for logging).


To cover the stick table option as it sounds most like what you seek, 
try the following to check for sslv3:


backend sslv3-count
stick-table type integer size 10 expire 24h store 
http_req_rate(24h),gpc0,gpc0_rate(24h)



tcp-request inspect-delay 10s
tcp-request content track-sc0 fe_id() table sslv3-count if { 
ssl_fc }

http-request allow if sslv3 { sc_inc_gpc0(0) }

Then to look at the values:
user@server$ echo "show table sslv3-count" | socat stdio 
/var/run/haproxy.sock

# table: sslv3-count, type: integer, size:10, used:1
0x273e69c: key=7 use=0 exp=86398154 gpc0=0 gpc0_rate(8640)=0 
http_req_rate(8640)=2


In this case there have been two requests using SSL in the last 24 
hours, none of which have used SSLv3.


I've not really tested this, more just wrote up a quick configuration 
for the concept, so if it doesn't work let me know and I can use openssl 
to actually try an sslv3 configuration.


Various other SSL values can be tracked by increasing the sc0 and adding 
another backend for it; the SSL related variables can be found at 
https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.4. If 
your looking for something that you can't see a way to craft let me know 
and I can provide more details.


As a side note SSLv3 isn't really considered secure any longer, but 
using the above to keep track of its use is a good step towards 
removing/restricting it.


- Chad

On 03/08/2016 11:18 AM, Stefan Johansson wrote:


Hi,

is it possible somehow to extract statistics on cipher used (total 
SSLv3, total RC4 etc.) without necessarily turning on connection 
logging and extract the data from there?


Thank you.

Regards,

Stefan

Re: SSL Cipher stats

2016-03-08 Thread Jeff Palmer 
I too would be interested in this.

extra points if the info could be gathered for individual backends or frontends.



On Tue, Mar 8, 2016 at 11:18 AM, Stefan Johansson
 wrote:
> Hi,
>
>
>
> is it possible somehow to extract statistics on cipher used (total SSLv3,
> total RC4 etc.) without necessarily turning on connection logging and
> extract the data from there?
>
>
>
> Thank you.
>
>
>
> Regards,
>
> Stefan



-- 
Jeff Palmer
https://PalmerIT.net