How can I log the negotiated SSL Cipher in Windows 2008 R2

Question

I have a web server running IIS 7.0, on Windows Server 2008 R2. The web application is written in C# .Net 4.0. The web application receives web requests, and sometimes makes outbound https requests to other services.

I want to log the SSL cipher negotiated for each web request received by my web server. I also want to log the SSL cipher negotiated for each web request initiated by my web server.

This question looks similar to mine, but doesn't have a good answer.

SSL negotiation logging in IIS

I've found these references here: http://msdn.microsoft.com/en-gb/library/windows/desktop/bb648705(v=vs.85).aspx

Am I warm? Is this the right approach?

score 5 · Accepted Answer · answered Nov 14 '14 at 17:14

5

Schannel event logging should get you some log information. This will log to the Event Log, however, so you'll need to find some manual way to correlate it with your IIS logs.

An Schannel event 36880 will be generated upon each successful negotiation. Correlating them to IIS logs is going to be a bit of a pain, to be sure, but I think this is just about the only feasible way to do it (given that Schannel doesn't really pass this information back down to IIS).

You'll get a process ID and thread ID, so you may be able to log the APP_POOL_ID server variable to get a PID to use in correlation.

answered Nov 14 '14 at 17:14

Evan Anderson

141,881
20
196
331

@But where can I find these logs to read? What is the location of this log files? – None Feb 19 '18 at 12:06
2

Schannel will log into the System Event Log, per the linked Microsoft article. – Evan Anderson Feb 21 '18 at 06:27

How can I log the negotiated SSL Cipher in Windows 2008 R2

1 Answers1