Product Documentation

Selective SSL logging

In a large deployment comprising thousands of virtual servers, all SSL-related information is logged. Earlier, filtering the client authentication and SSL handshake successes and failures for a few critical virtual servers was not easy. Perusing through the entire log to get this information was a time-consuming and tedious task because the infrastructure did not offer the control to filter the logs. Now, you can log SSL-related information in ns.log, for a specific virtual server or for a group of virtual servers. This information is especially helpful in debugging failures. To log this information, you must add an SSL log profile.

See sample ns.log output for successful client authentication at the end of this page.

SSL log profile

An SSL log profile provides control over logging the following events for a virtual server or a group of virtual servers:

  • Client authentication success and failures, or only failures.

  • SSL handshake success and failures, or only failures.

By default, all the parameters are disabled.

An SSL log profile can be set on an SSL profile, or on an SSL action. If set to an SSL profile, you can log both client authentication and SSL handshake success and failure information. If set to an SSL action, you can only log client authentication success and failure information because the handshake is complete before the policy is evaluated.

Client authentication and SSL handshake success and failures are logged even if you do not configure an SSL log profile. However, selective logging is possible only if SSL log profile is used.

Note:

SSL log profile is supported in high availability and cluster setups.

Add an SSL log profile by using the CLI

At the command prompt, type:

add ssl logprofile <name> [-sslLogClAuth ( ENABLED | DISABLED )] [-ssllogClAuthFailures ( ENABLED | DISABLED )] [-sslLogHS ( ENABLED | DISABLED )] [-sslLogHSfailures ( ENABLED | DISABLED )]

Parameters:

Name:

Name for the SSL log profile. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the profile is created.

Name is a mandatory argument. Maximum Length: 127

sslLogClAuth:

Log all client authentication events. Includes both success and failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

ssllogClAuthFailures:

Log all client authentication failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

sslLogHS:

Log all SSL handshake related events. Includes both success and failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

sslLogHSfailures:

Log all SSL handshake related failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

Example:

> add ssl logprofile ssllog10 -sslLogClAuth ENABLED -sslLogHS ENABLED

 Done

sh ssllogprofile ssllog10

1)      Name: ssllog10

        SSL log ClientAuth [Success/Failures] : ENABLED

        SSL log ClientAuth [Failures] : DISABLED

        SSL log Handshake [Success/Failures] : ENABLED

        SSL log Handshake [Failures] : DISABLED

 Done

Add an SSL log profile by using the GUI**

Navigate to System > Profiles > SSL Log Profile and add a profile.

Modify an SSL log profile by using the CLI

At the command prompt type:

set ssl logprofile <name> [-sslLogClAuth ( ENABLED | DISABLED )][-ssllogClAuthFailures ( ENABLED | DISABLED )] [-sslLogHS ( ENABLED | DISABLED )] [-sslLogHSfailures ( ENABLED | DISABLED )]

Example:

set ssllogprofile ssllog10 -ssllogClAuth en -ssllogClAuthFailures en -ssllogHS en -ssllogHSfailures en

Done

sh ssllogprofile ssllog10

    1)            Name: ssllog10

                    SSL log ClientAuth [Success/Failures] : ENABLED
                    SSL log ClientAuth [Failures] : ENABLED
                    SSL log Handshake [Success/Failures] : ENABLED
                    SSL log Handshake [Failures] : ENABLED
     Done

Modify an SSL log profile by using the GUI

  1. Navigate to **System > Profiles > SSL Log Profile, select a profile, and click **Edit.
  2. Make changes and click OK.

View all the SSL log profiles by using the CLI

At the command prompt, type:

sh ssl logprofile

Example:

sh ssl logprofile

    1)            Name: ssllogp1
                    SSL log ClientAuth [Success/Failures] : ENABLED
                    SSL log ClientAuth [Failures] : ENABLED
                    SSL log Handshake [Success/Failures] : DISABLED
                    SSL log Handshake [Failures] : ENABLED

    2)            Name: ssllogp2
                    SSL log ClientAuth [Success/Failures] : DISABLED
                    SSL log ClientAuth [Failures] : DISABLED
                    SSL log Handshake [Success/Failures] : DISABLED
                    SSL log Handshake [Failures] : DISABLED

    3)            Name: ssllogp3
                    SSL log ClientAuth [Success/Failures] : DISABLED
                    SSL log ClientAuth [Failures] : DISABLED
                    SSL log Handshake [Success/Failures] : DISABLED
                    SSL log Handshake [Failures] : DISABLED

    4)            Name: ssllog10
                    SSL log ClientAuth [Success/Failures] : ENABLED
                    SSL log ClientAuth [Failures] : ENABLED
                    SSL log Handshake [Success/Failures] : ENABLED
                    SSL log Handshake [Failures] : ENABLED
Done

View all the SSL log profiles by using the GUI

Navigate to System > Profiles > SSL Log Profile. All the profiles are listed.

Attach an SSL log profile to an SSL profile

You can attach (set) an SSL log profile on an SSL profile when you are creating an SSL profile, or later by editing the SSL profile. You can log both client authentication and handshake successes and failures.

Important:

The default SSL profile must be enabled before you can attach an SSL log profile.

Attach an SSL log profile on an SSL profile by using the CLI

At the command prompt, type:

set ssl profile <name> [-ssllogProfile <string>]

Example:

set ssl profile fron_1 -ssllogProfile ssllog10

Attach an SSL log profile to an SSL profile by using the GUI

  1. Navigate to System > Profiles > SSL Profile.
  2. Click Edit and in SSL Log Profile, specify a profile.

Attach an SSL log profile to an SSL action

You can set an SSL log profile only while creating an SSL action. You cannot modify an SSL action to set the log profile. Associate the action to a policy. You can only log client authentication successes and failures.

Attach an SSL log profile to an SSL action by using the CLI

At the command prompt, type:

add ssl action <name> -clientAuth ( DOCLIENTAUTH | NOCLIENTAUTH ) -ssllogProfile <string>

Example:

> add ssl action act1 -clientAuth DoCLIENTAUTH -ssllogProfile ssllog10

Done

> sh ssl action act1

    1)            Name: act1
                    Type: Client Authentication (DOCLIENTAUTH)
                    Hits: 0
                    Undef Hits: 0
                    Action Reference Count: 0
                    SSLlogProfile: ssllog10
Done

Attach an SSL log profile to an SSL action by using the GUI

  1. Navigate to Traffic Management > SSL > Policies and click SSL Actions.
  2. Click Add.
  3. In Client Authentication, select ENABLED.
  4. In SSL Log Profile, select a profile from the list, or click “+” to create a profile.
  5. Click Create.

Sample output from the log file

The following is a sample log output from ns.log for successful client authentication.

Jan 24 16:24:25 <local0.debug> 10.102.57.80 01/24/2019:10:54:25 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 158 0 :  SPCBId 671 - ClientIP 10.102.1.98 - ClientPort 49451 - VserverServiceIP 10.102.57.82 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session New - CLIENT_AUTHENTICATED -SerialNumber "2A" - SignatureAlgorithm "sha1WithRSAEncryption" - ValidFrom "Sep 22 09:15:20 2008 GMT" - ValidTo "Feb  8 09:15:20 2036 GMT" - HandshakeTime 10 ms
Jan 24 16:24:25 <local0.debug> 10.102.57.80 01/24/2019:10:54:25 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 159 0 :  SPCBId 671 - IssuerName " C=IN,ST=KAR,O=Citrix R&D Pvt Ltd,CN=Citrix"
Jan 24 16:24:25 <local0.debug> 10.102.57.80 01/24/2019:10:54:25 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 160 0 :  SPCBId 671 - SubjectName " C=IN,ST=KAR,O=Citrix Pvt Ltd,OU=A,CN=B"
Jan 24 16:24:25 <local0.debug> 10.102.57.80 01/24/2019:10:54:25 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 161 0 :  Backend SPCBId 674 - ServerIP 10.102.57.85 - ServerPort 443 - ProtocolVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session Reuse - SERVER_AUTHENTICATED -SerialNumber "3E" - SignatureAlgorithm "sha1WithRSAEncryption" - ValidFrom "Sep 24 06:40:37 2008 GMT" - ValidTo "Feb 10 06:40:37 2036 GMT" - HandshakeTime 1 ms
Jan 24 16:24:25 <local0.debug> 10.102.57.80 01/24/2019:10:54:25 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 162 0 :  SPCBId 674 - IssuerName " C=IN,ST=KAR,O=Citrix Pvt Ltd"
Jan 24 16:24:25 <local0.debug> 10.102.57.80 01/24/2019:10:54:25 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 163 0 :  SPCBId 674 - SubjectName " C=IN,ST=P,L=Q,O=R"