0

When apache2 is serving https using mod_ssl, and running with 'LogLevel debug', it frequently logs lines like this, followed by a hex dump:

ssl_engine_io.c(1882): OpenSSL: read 518/518 bytes from BIO#81b3928 [mem: 81b93f5] (BIO dump follows)

The hex dumps contain nothing that is visually recognizable as plaintext, i.e., no HTTP headers or anything like that, and no obvious repetition from one session to the next.

Do these dumps contain anything sensitive that an adversary couldn't already obtain by sniffing my network traffic? If I'm just looking at a bunch of ciphertext, that's fine. But if I'm looking at private keys, or session keys, or any precursor to them such as data from RAND_bytes(), then I need to do something about my logging level.

dfranke
  • 379
  • 1
  • 7
  • Can you offer your logging format so i can effectively attempt to answer this? and version of apache / modSSL.. :D – Arenstar Nov 14 '10 at 18:53
  • I'll check the exact Apache and mod_ssl versions when I get back to work tomorrow, but Apache is 2.2.something. – dfranke Nov 15 '10 at 03:56

1 Answers1

1

Some information..

For security reasons, starting with version 2.0.46, non-printable and other special characters in %r, %i and %o are escaped using \xhh sequences, where hh stands for the hexadecimal representation of the raw byte.

In versions prior to 2.0.46, no escaping was performed on these strings so you had to be quite careful when dealing with raw log files

Update: I talked with an apache-developer, he assured me that the hex -> is a 1 way encrpytion by design.. So logging this to disk, is probably just a waste of space :D

Hope this Helps..

Arenstar
  • 3,602
  • 2
  • 25
  • 34
  • Thanks, that's encouraging. But what do you mean by "one way encryption"? Does that mean that it's outputting ciphertext encrypted using a session key, but not outputting the session key? Can you pastebin your chat with the Apache dev? – dfranke Nov 15 '10 at 03:55
  • "One way encryption was his words" Unfortunately, i dont have the chat to pastebin. However basically, i did a little reading regarding security ( and found my first 2 paragraphs.. ( i checked apache & mod sql mainly including other posts etc. I also went through the history of bugs present and fixed for an exploit on logs.) Finally i went to the IRC channel @freenode #httpd and spoke to a guy moderating the channel who develops for apache. I would suggest, for extreme details about how the hex-conversion works, go there ( or read the source ). Unfortunately im not exactly sure how its done. – Arenstar Nov 15 '10 at 07:03