1

When planning to remove a cipher suite, is there a way to log what cipher suites are available to the clients that talk to my web server?

The idea is to know in advance that before some cipher is removed, if I need to install new ones and which ones.

basically I would like to be able to sample out some of the requests coming into an Apache tomcat web server and log the cipher suites supported by the client making the request.

If that is not possible, then would it be possible to know what cipher suite is used in the current HTTPRequest ?

Improve this question
2
  • 2
    Not sure why people are voting this off-topic. Determining which suites your clients use is a pretty big deal these days, what with all the ciphers you have to turn off to end up with a decent score at SSL Labs. It's hard to shut things off if you don't have a clue what people are using (and capable of using). Commented Jun 1, 2016 at 0:18
  • @gowenfawr I saw some wanted to migrate it to server fault, but I think it is appropriate for this site as well Commented Jun 1, 2016 at 0:48

3 Answers 3

Reset to default
1

Yes, you can crank up Tomcat logging to include that information using the javax.net.debug system property. That will allow you to get this sort of output, which includes the cipher suite proposed by the client:

*** ClientHello, TLSv1 RandomCookie: GMT: 1073239164 bytes = { 10, 80, 71, 86, 124, 135, 104, 151, 72, 153, 70, 28, 97, 232, 160, 217, 146, 178, 87, 255, 122, 147, 83, 197, 60, 187, 227, 76 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] Compression Methods: { 0 } ***

Parsing Tomcat logs is one of those joys that ranks up there with dentistry, but of course it can be done, and will provide you a census of the cipher suites your clients are connecting to you with.

Alternately, running tcpdump (or equivalent) captures with a filter that will capture ClientHello messages will give you a store of raw data to mine. The following filter will capture just the ClientHello messages:

tcpdump -s 0 -w client_hellos.pcap 'port 443 and tcp[((tcp[12:1] & 0xf0)>>2):1] = 0x16 and tcp[((tcp[12:1] & 0xf0)>>2)+1:2] = 0x0301 and tcp[((tcp[12:1] & 0xf0)>>2)+5:1] = 0x01'
Improve this answer
1
  • Thanks, Its good to know that its possible to log this. I will try to ask on SO if someone know if it can be accessed from within HTTPRequest. Commented Jun 2, 2016 at 11:04
2

Although a really old question, it's one of the pages that google thinks has an answer, so I'll update it since there's a better way. I don't know when it was introduced, but it's at least available using my tomcat version 8.5.85, you can just do something like this in the java code to find what you're looking for:

 String protocol = (String) request.getAttribute("org.apache.tomcat.util.net.secure_protocol_version"); String requestedProtocols = (String) request.getAttribute("org.apache.tomcat.util.net.secure_requested_protocol_versions"); String cipher = (String) request.getAttribute("javax.servlet.request.cipher_suite"); String requestedCiphers = (String) request.getAttribute("org.apache.tomcat.util.net.secure_requested_ciphers");
Improve this answer
0
0

Yes, the list of supported ciphers are sent by the client, so the server could perfectly log which are offered by the client. It may be a bit harder (and will depend on your particular implementation) to access them, as that's typically abstracted in the SSL layer.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.