How can I let nginx log the used SSL/TLS protocol and ciphersuite?

security nginx ssl logging tls

My goal is to ensure proper security for clients connecting to my nginx. I'm following Mozilla's guide to configure TLS properly on my nginx installation, but I don't have an overview of the actual protocols/ciphersuites being used in practice.

What I have now:

server {
    listen 443;
    ssl on;
    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    ssl_dhparam /path/to/dhparam.pem;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'the_long_ciphersuite_listed_there';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
}

With this, I'd like to log which SSL protocol was used for a connection and what ciphersuite was chosen after the client/server negotiated. E.g.:

10.1.2.3 - - [13/Aug/2014:12:34:56 +0200] "GET / HTTP/1.1" 200 1234 "-" "User agent bla"

to

10.1.2.3 - - [13/Aug/2014:12:34:56 +0200] ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 "GET / HTTP/1.1" 200 1234 "-" "User agent bla"

This way I can quickly identify clients which are using outdated browsers or automated machines which do not support PFS or other relevant security enabling technologies.

How do I configure nginx to log this information?


Add $ssl_cipher to your log_format configuration.

Refer to http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables for all SSL-related variables.

Example

Define a custom log_format in the http context (e.g. /etc/nginx/nginx.conf):

log_format combined_ssl '$remote_addr - $remote_user [$time_local] '
                        '$ssl_protocol/$ssl_cipher '
                        '"$request" $status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent"';

The above is based on the default combined format with an additional '$ssl_protocol/$ssl_cipher ' line.

Then add in a server context (with SSL enabled) the access_log directive with the custom log format:

server {
  listen 443;
  ssl on;
  access_log /var/log/nginx/access.log combined_ssl;
  [...]
}

After restarting nginx, logs appear like:

10.1.2.3 - - [13/Aug/2014:12:34:56 +0200] TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256 "GET / HTTP/1.1" 200 1234 "-" "User agent bla"

Related

Cannot install openjdk-8-jre-headless on Debian Jessie
Allow traffic to/from specific IP with iptables
How do I allow MySQL connections through SELinux?
How can I get Vagrant to start the server on startup?
Is a reboot required to refresh permissions after adding a user to a new group?
Illegal activities prevention system (child pornography, animal cruelty, …)
How do I exclude directories when listing files?
Can a program tell it is being run under sudo?
How can I use rsync to duplicate a directory tree, creating hardlinks to files?
How do I install 'convert' on a linux system?
Don't need the whole line, just the match from regular expression
Nginx add_header for a 50* page