RE: SSL Cipher stats
Thanks for your suggestion, sorry for the late reply. I gave it some thought and we decided to simply just shut SSLv3 and RC4 off completely right away. We were going to use the stats to check how much traffic would be lost, but we managed to get browser statistics elsewhere, which pointed to less than 1% (Windows XP etc). So basically there's no reason to run those any longer. Cheers. -Original Message- From: Chad Lavoie [mailto:clav...@haproxy.com] Sent: Tuesday, March 8, 2016 9:45 PM To: haproxy@formilux.org Cc: Jeff Palmer ; Stefan Johansson Subject: Re: SSL Cipher stats Greetings, On 03/08/2016 11:20 AM, Jeff Palmer wrote: > I too would be interested in this. > > extra points if the info could be gathered for individual backends or > frontends. I didn't explicitly mention it, but my example config tracks by frontend id in the stick table (id was 7 in my example). If in "tcp-request content track-sc0 fe_id() table sslv3-count if { ssl_fc }" fe_id is changed with be_id then it will track based on the backend instead. To translate the id's to names looking at the iid field of "show stat" (to the socket as the show table is done to get the stats) will identify the one in question. Also, I neglected to mention if you have nbproc >1 it won't add up the values, so if its important to have all of the requests processed adding them up via a shell script should be able to do that. - Chad > > > > On Tue, Mar 8, 2016 at 11:18 AM, Stefan Johansson > wrote: >> Hi, >> >> >> >> is it possible somehow to extract statistics on cipher used (total >> SSLv3, total RC4 etc.) without necessarily turning on connection >> logging and extract the data from there? >> >> >> >> Thank you. >> >> >> >> Regards, >> >> Stefan > >
Re: SSL Cipher stats
Greetings, On 03/08/2016 11:20 AM, Jeff Palmer wrote: I too would be interested in this. extra points if the info could be gathered for individual backends or frontends. I didn't explicitly mention it, but my example config tracks by frontend id in the stick table (id was 7 in my example). If in "tcp-request content track-sc0 fe_id() table sslv3-count if { ssl_fc }" fe_id is changed with be_id then it will track based on the backend instead. To translate the id's to names looking at the iid field of "show stat" (to the socket as the show table is done to get the stats) will identify the one in question. Also, I neglected to mention if you have nbproc >1 it won't add up the values, so if its important to have all of the requests processed adding them up via a shell script should be able to do that. - Chad On Tue, Mar 8, 2016 at 11:18 AM, Stefan Johansson wrote: Hi, is it possible somehow to extract statistics on cipher used (total SSLv3, total RC4 etc.) without necessarily turning on connection logging and extract the data from there? Thank you. Regards, Stefan
Re: SSL Cipher stats
Greetings, To do it without logging the only other ways I can think of to get it out of HAProxy will ether be headers to the backends for logging there, or doing it via stick tables (or sending the stick table stats via a header to the backend for logging). To cover the stick table option as it sounds most like what you seek, try the following to check for sslv3: backend sslv3-count stick-table type integer size 10 expire 24h store http_req_rate(24h),gpc0,gpc0_rate(24h) tcp-request inspect-delay 10s tcp-request content track-sc0 fe_id() table sslv3-count if { ssl_fc } http-request allow if sslv3 { sc_inc_gpc0(0) } Then to look at the values: user@server$ echo "show table sslv3-count" | socat stdio /var/run/haproxy.sock # table: sslv3-count, type: integer, size:10, used:1 0x273e69c: key=7 use=0 exp=86398154 gpc0=0 gpc0_rate(8640)=0 http_req_rate(8640)=2 In this case there have been two requests using SSL in the last 24 hours, none of which have used SSLv3. I've not really tested this, more just wrote up a quick configuration for the concept, so if it doesn't work let me know and I can use openssl to actually try an sslv3 configuration. Various other SSL values can be tracked by increasing the sc0 and adding another backend for it; the SSL related variables can be found at https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.4. If your looking for something that you can't see a way to craft let me know and I can provide more details. As a side note SSLv3 isn't really considered secure any longer, but using the above to keep track of its use is a good step towards removing/restricting it. - Chad On 03/08/2016 11:18 AM, Stefan Johansson wrote: Hi, is it possible somehow to extract statistics on cipher used (total SSLv3, total RC4 etc.) without necessarily turning on connection logging and extract the data from there? Thank you. Regards, Stefan
Re: SSL Cipher stats
I too would be interested in this. extra points if the info could be gathered for individual backends or frontends. On Tue, Mar 8, 2016 at 11:18 AM, Stefan Johansson wrote: > Hi, > > > > is it possible somehow to extract statistics on cipher used (total SSLv3, > total RC4 etc.) without necessarily turning on connection logging and > extract the data from there? > > > > Thank you. > > > > Regards, > > Stefan -- Jeff Palmer https://PalmerIT.net
SSL Cipher stats
Hi, is it possible somehow to extract statistics on cipher used (total SSLv3, total RC4 etc.) without necessarily turning on connection logging and extract the data from there? Thank you. Regards, Stefan