4

Recently in the news was an announcement that the PCI standards in the UK will outlaw the use of TLS1.0.

Unfortunately, this means that we're going to have to stop using TLS1.0 on our web servers for ecommerce by summer next year.

We want to know for sure what percentage of our users are connecting to the site using TLS1.0 in order to determine the impact of this and what our response needs to be.

Is there a module or something for Apache that will allow us to do this? Can I just use the normal logging stuff?

The site has a lot of traffic, so logging SSL stuff on a debug level may quickly fill our hard disks...

John Hunt
  • 428
  • 2
  • 10
  • 20

1 Answers1

12

Custom Log can be used with the following env variables: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#envvars

Examples just below that in the next section: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#logformats

 CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Barry Pollard
  • 4,461
  • 14
  • 26
  • the cited code comes from the official apache site but seems to contain a typo: the backslash (\) after logs/ssl_request_log causes an AH00526: Syntax error on line x of /etc/apache2/sites-enabled/ssl.conf: error in condition clause. Removing that backslash solves the problem. – Cie6ohpa Jul 04 '19 at 08:30
  • You are correct. Looking at the raw HTML this is supposed to be over two lines (hence backslash needed to escape the newline characters - https://serverfault.com/questions/752176/break-up-a-long-line-in-a-htaccess-file/752185). However without an explicit formatting in HTML it collapses them into one line which is wrong as you say. Fixed in above and will ping an email to the Apache team to let them know. – Barry Pollard Jul 04 '19 at 08:38
  • Actually looks like it's been corrected in 2.4 documentation. Not sure why I referred to the older, unsupported, 2.2 documentation, but have updated it now in my answer. Thanks again for noticing. – Barry Pollard Jul 04 '19 at 08:40