Logging TLS versions for TTLS/EAP
Hi! To gather a deeper insight in what TLS versions are used by clients in our wireless network, I want to log what MAC address uses what TLS version (and maybe cipher algorithm, but that is secondary) during the PEAP or TTLS handshake. I guess a simple linelog would be sufficient for that task, but, I must confess, I am a bit lost on what attributes to use for the TLS version part, if there even *is* a way to log this information. I'd appreciate a little push in the right direction. Grüße, Sven.
On Aug 12, 2017, at 2:56 PM, Sven Hartge <sven@svenhartge.de> wrote:
To gather a deeper insight in what TLS versions are used by clients in our wireless network, I want to log what MAC address uses what TLS version (and maybe cipher algorithm, but that is secondary) during the PEAP or TTLS handshake.
I guess a simple linelog would be sufficient for that task, but, I must confess, I am a bit lost on what attributes to use for the TLS version part, if there even *is* a way to log this information.
It's available in src/main/tls.c, see tls_session_information(). But it's not available as an attribute. Alan DeKok.
On 12.08.2017 18:43, Alan DeKok wrote:
On Aug 12, 2017, at 2:56 PM, Sven Hartge <sven@svenhartge.de> wrote:
To gather a deeper insight in what TLS versions are used by clients in our wireless network, I want to log what MAC address uses what TLS version (and maybe cipher algorithm, but that is secondary) during the PEAP or TTLS handshake.
I guess a simple linelog would be sufficient for that task, but, I must confess, I am a bit lost on what attributes to use for the TLS version part, if there even *is* a way to log this information.
It's available in src/main/tls.c, see tls_session_information(). But it's not available as an attribute.
I see, str_version is the interesting part. But my C-fu is too weak, I couldn't even start to create a patch to put this into an attribute for later consumption via unlang. And running the production servers in debug mode is also not really feasible. So this is a dead end for me, isn't it? Grüße, Sven.
participants (2)
-
Alan DeKok -
Sven Hartge