Weak Ciphers

user15142 · December 19, 2021, 6:04am

I am using TLS 1.2 and I just ordered an advanced certificate which should allow me to configure cipher suites and remove weaker suites.
Before I do that I wanted to understand the traffic I receive using weak cipher suites.

Is there a way to check that?

erictung · December 19, 2021, 8:58am

As far as I know, only Enterprise customers have access to raw HTTP logs, which contains the cipher suite being used for each request.

Otherwise, you might need to extract the cipher suite information from Cloudflare Workers for each request, then perform your own aggregations. For example, you may add a new request header in Workers script so that the cipher suite information can be sent to your origin server; or you may trigger a Webhook every time Cloudflare sees a weak cipher is being used by the request.

https://developers.cloudflare.com/workers/examples/accessing-the-cloudflare-object

eva2000 · December 19, 2021, 12:19pm

If you know how to you can configure your origin web server’s logging to pickup Cloudflare request headers and log them. Here’s how I do it for my Centmin Mod Nginx logging of Cloudflare requests https://community.centminmod.com/threads/cloudflare-custom-nginx-logging.14790/ and how to use Nginx logging in JSON format too https://community.centminmod.com/threads/how-to-configure-nginx-for-json-based-access-logging.19641/

Obviously, you’d only be able to log Cloudflare cache miss requests as cache hit requests would not hit your origin server and only be served from Cloudflare edge servers. So for Cloudflare edge server requests then @erictung suggestion of Cloudflare Enterprise plan logpush would only be the way.

Should be fine for default Cloudflare cache configs as by default CF doesn’t cache HTML files at least unless you’re using Cache Everything page rules or custom CF worker caching. So HTML file requests should by default hit your origin server to be logged.

Example inspection of SSL ciphers from my Nginx JSON formatted access logs

cat access_log.json | jq -r '.ssl_cipher' | sort | uniq -c | sort -rn
   3099 TLS_AES_256_GCM_SHA384
    171 ECDHE-ECDSA-AES256-GCM-SHA384
     22 ECDHE-ECDSA-CHACHA20-POLY1305
      2 ECDHE-ECDSA-AES128-SHA

For SSL Protocol + SSL ciphers

cat access_log.json | jq -r '"\(.ssl_protocol) \(.ssl_cipher)"' | sort | uniq -c | sort -rn
   3099 TLSv1.3 TLS_AES_256_GCM_SHA384
    171 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
     22 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
      1 TLSv1 ECDHE-ECDSA-AES128-SHA
      1 TLSv1.1 ECDHE-ECDSA-AES128-SHA

Can also parse and tally with HTTP status code included for a more detailed breakdown

pzcat -f access_log.json{,-*} | jq -r '"\(.status) \(.ssl_protocol) \(.ssl_cipher)"' | sort | uniq -c | sort -rn
1099892 200 TLSv1.3 TLS_AES_256_GCM_SHA384
 131497 307 TLSv1.3 TLS_AES_256_GCM_SHA384
  40749 304 TLSv1.3 TLS_AES_256_GCM_SHA384
  29627 200 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
  15012 301 TLSv1.3 TLS_AES_256_GCM_SHA384
   9326 403 TLSv1.3 TLS_AES_256_GCM_SHA384
   6488 304 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
   4655 200 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
   3893 404 TLSv1.3 TLS_AES_256_GCM_SHA384
   2034 304 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
   1758 301 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
   1735 303 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
   1509 307 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
    740 303 TLSv1.3 TLS_AES_256_GCM_SHA384
    444 301 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    378 307 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    246 303 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    208 302 TLSv1.3 TLS_AES_256_GCM_SHA384
    202 403 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
    168 400 TLSv1.3 TLS_AES_256_GCM_SHA384
     67 405 TLSv1.3 TLS_AES_256_GCM_SHA384
     22 302 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
     16 404 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
      4 302 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
      2 405 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
      2 404 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
      2 403 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
      1 500 TLSv1.3 TLS_AES_256_GCM_SHA384

And if not using Nginx JSON log format but regular - might need to change pzcat to zcat for gzip compressed cat for non-Centmin Mod systems as I add multi-threaded gzip pzcat tool for faster gzip compressed log parsing compared to normal single threaded zcat.

pzcat -f cfssl-access.log{,-*} | grep -v 'SERVER_IP' | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
299930  TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
191033  TLSv1.2  ECDHE-ECDSA-CHACHA20-POLY1305
173484  TLSv1.3  TLS_AES_256_GCM_SHA384
43      -        -
35      TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256

You can also use Cloudflare Transform header request modifications to add other Cloudflare fields if you want to log those on origin server side

system · December 22, 2021, 12:20pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.