Does Cloudflare log the cipher suite that was accepted in TLS handshakes?

We are preparing to disable some of the weaker ciphers, which isn’t likely to be a problem for any of our supported browsers, etc.

But… I was asked if we can search the logs to see if any of the cipher suites we intend to disable have been used recently.

I would guess the logs aren’t that detailed by default (and I’m not particularly interested in bumping up the verbosity just for this effort), but haven’t been able to find anything while browsing or searching the help so far.

Any idea if the cipher suites that were used are logged?

Cloudflare Enterprise plan’s logpush logs can record ciphers used https://developers.cloudflare.com/logs/about.

The field would be ClientSSLCipher from https://developers.cloudflare.com/logs/reference/log-fields/zone/http_requests (list of all logpush log fields that you can log).

parsing my Cloudflare Enterprise plan’s logpush logs for CF Edge server served requests

top 10 ciphers breakdown by device type

pzcat /home/cfcmm-logs/20211103/*.log.gz | jq -r 'select(.ClientSSLCipher != "NONE") |"\(.ClientDeviceType) \(.ClientSSLProtocol) \(.ClientSSLCipher)"' | sort -n | uniq -c | sort -rn | head -n10
  63972 desktop TLSv1.3 AEAD-AES128-GCM-SHA256
  29744 desktop TLSv1.3 AEAD-AES256-GCM-SHA384
  10052 desktop TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
   3594 mobile TLSv1.3 AEAD-AES128-GCM-SHA256
   1123 desktop TLSv1.3 AEAD-CHACHA20-POLY1305-SHA256
    906 desktop TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
    456 mobile TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
     71 tablet TLSv1.3 AEAD-AES256-GCM-SHA384
     53 tablet TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
     42 mobile TLSv1.3 AEAD-CHACHA20-POLY1305-SHA256

top 10 ciphers breakdown by device type x cf datacenter x country of visitor

pzcat /home/cfcmm-logs/20211103/*.log.gz | jq -r 'select(.ClientSSLCipher != "NONE") |"\(.ClientDeviceType) \(.EdgeColoCode) \(.ClientCountry) \(.ClientSSLProtocol) \(.ClientSSLCipher)"' | sort -n | uniq -c | sort -rn | head -n10
   3454 desktop FRA de TLSv1.3 AEAD-AES128-GCM-SHA256
   3370 desktop CDG fr TLSv1.3 AEAD-AES128-GCM-SHA256
   3151 desktop AMS nl TLSv1.3 AEAD-AES128-GCM-SHA256
   3112 desktop DFW us TLSv1.3 AEAD-AES128-GCM-SHA256
   2766 desktop IAD us TLSv1.3 AEAD-AES128-GCM-SHA256
   2760 desktop SYD au TLSv1.3 AEAD-AES128-GCM-SHA256
   2630 desktop LAX us TLSv1.3 AEAD-AES128-GCM-SHA256
   2579 desktop SIN sg TLSv1.3 AEAD-AES256-GCM-SHA384
   2505 desktop SJC us TLSv1.3 AEAD-AES128-GCM-SHA256
   2464 desktop SYD au TLSv1.3 AEAD-AES256-GCM-SHA384

many creative ways to parse and collect stats from logpush log fields https://developers.cloudflare.com/logs/reference/log-fields/zone/http_requests :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.