I am hosting a site that allows users to connect with either HTTP or HTTPS. The default apache configuration generates a separate log file for request made through HTTPS with two additional information, namely protocol (e.g. TLSv1) and cipher (e.g. DHE-RSA-CAMELLIA256-SHA). I was wondering the benefit of logging these two extra information, or whether I should just merge it with the access log without these two columns for ease of troubleshooting.
Asked
Active
Viewed 1,283 times
1
-
It is better to keep separate so that you will have a clear record of logs. Some day if you face some issue with all https URLs, then it will easy for you to find out what is happening. – Suku Jan 03 '13 at 13:37
-
@Suku, can you elaborate the potential issues that would require information on protocol and cipher? – Question Overflow Jan 03 '13 at 13:39
-
http://blog.techstacks.com/2009/07/bigip-logging-ssl-version-and-cipher.html. It is an information about the connection which a user makes. – Suku Jan 03 '13 at 13:56
1 Answers
5
For maximum compatibility with browsers, Apache will let a wide variety of HTTPS protocols and ciphers be used.
However, if you want to ensure good security with your HTTPS traffic, you will want to disable some of those protocols (e.g. SSLv2) and ciphers (e.g. RC2-CBC-MD5). Especially over time as some protocols/ciphers have more and more workable attacks mounted against them. Browsers will typically connect with a stronger protocol/cipher if they can, and that protocol/cipher will show up in your logs.
The potential problem is, if you disable those less-secure protocols/ciphers, AND the browsers of your userbase don't support the protocols/ciphers you do allow, then some of the people browsing your site (with an old PC or mobile phone) may no longer be able to get an HTTPS connection at all! Particularly if, like Google or other sites, you force people to use only HTTPS for security reasons (e.g. to secure session cookies against wireless sniffing), this can be an issue.
How would you know if it was safe or mostly-safe to disable them; how could you gauge that business risk? Well, if you logged the actual ciphers used by your userbase, you could see easily if your customers were impacted or what percentage of traffic would be impacted by removing access to those protocols/ciphers. Or at least get a good approximation of that impact. Browsers will typically connect with a stronger protocol/cipher if they can, and that protocol/cipher will show up in your logs.
(There are also subtler reasons like making sure your server is using the protocol/cipher you think it is, and for forensic reasons if there is some MITM SSL downgrading attack.)
I don't have a strong opinion about keeping the logs merged or separate, but by logging things separately, you can have a small log that focuses purely on allowing that analysis rather than bogging down your main large log with it. And it might rotate at a different frequency, etc.
GregW
- 314
- 4
- 6