Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Add TLS version and cipher to cPanel logs

Discussion in 'Security' started by sparek-3, Aug 8, 2018.

  1. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,765
    Likes Received:
    117
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    Is it possible to modify the logging format that cPanel services uses (i.e. the stuff logged in /usr/local/cpanel/logs/access_log) to include the TLS protocol version and cipher?

    I know you can do this in Apache by adding

    %{SSL_PROTOCOL}x %{SSL_CIPHER}x

    to the combined LogFormat directive.

    Is it possible to make a similar modification to the cPanel logs? Is it possible for server administrators to make this change or is this hardcoded within cPanel some where?

    The reason for this, with the upcoming (or suppose to have already passed) death of TLSv1 and TLSv1.1 it might be beneficial to see what accounts are still using TLSv1 and TLSv1.1 browsers/OSs so they can be nudged to upgrade their system (a futile task anyway). But I didn't see any way to modify this for cPanel web-services, just wondering if I missed the option some where.
     
    rpvw likes this.
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,204
    Likes Received:
    228
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @sparek-3

    That's a great idea but it's not possible to make modifications to the cPanel access_logs in the same manner due to the fact the data for that is hardcoded in our binaries. I think it'd be a really useful feature request though. I'd say use the link in my signature to open a feature request then let us know the link so we can all vote on it too.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,765
    Likes Received:
    117
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    Would probably lose it's luster before it gets through the requisite feature request bureaucracy.

    The main point would be to identify those users that are still using browsers/OSs that rely on TLSv1 and TLSv1.1 (and there's a ton of them) before the recommended PCI deadline of June 30, 2018 (oops! that's already passed ... yes, I'm being sarcastic at everyone's viewpoint toward security recommendations).

    I'll just modify the Apache combined log to show this and have users visit a dummy Apache served page to see what TLS version they are using. Seems simpler this way.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,204
    Likes Received:
    228
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    I understand, if you do decide to open it for some reason, please let us know.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice