ANS Documentation

Improve This Doc
  • Cloud
  • Domains and DNS management
  • Backup and High Availability
  • eCommerce Stacks
  • Security
  • Email
  • Monitoring and usage management
  • Networking
  • Operating systems
    • Linux
    • VMware ESXi
    • Windows
      • Active Directory
      • Common Issues
      • Exchange
      • FTP
      • IIS
      • MSSQL
      • Networking
      • TLS 1.2 in PowerShell
      • RDP
      • Windows Server 2016
      • SSL/TLS and Schannel
      • Windows Administration
  • Webcelerator
  • MyUKFast
  • Home >
  • Operating systems >
  • Windows >
  • SSL/TLS and Schannel >
  • Logging TLS cipher usage

Logging TLS cipher usage¶

It is possible to enable cipher usage logging as a custom logging option in many popular web platforms. Here we will discuss configuring this in IIS.

This can help an administrator determine the quantity of visitor connections that use legacy protocols and ciphers.

IIS TLS logging¶

The Microsoft Secure team announced in a blog post that Windows Server 2012 R2 and Server 2016 will have the ability to enable custom logging in IIS to log negotiated TLS protocols and ciphers to the access log.

To enable the new functionality, you will need to add the following custom log fields at either the site or server level.

Field Name

Source

Type

crypt-protocol

CRYPT_PROTOCOL

ServerVariable

crypt-cipher

CRYPT_CIPHER_ALG_ID

ServerVariable

crypt-hash

CRYPT_HASH_ALG_ID

ServerVariable

crypt-keyexchange

CRYPT_KEYEXCHANGE_ALG_ID

ServerVariable

This can be done through IIS by adding custom logging fields:

IIS Logging

Or you can add them directly to the applicationHost.config as custom log fields:

<logFile>
    <customFields>
        <clear />
        <add logFieldName="crypt-protocol" sourceName="CRYPT_PROTOCOL" sourceType="ServerVariable" />
        <add logFieldName="crypt-cipher" sourceName="CRYPT_CIPHER_ALG_ID" sourceType="ServerVariable" />
        <add logFieldName="crypt-hash" sourceName="CRYPT_HASH_ALG_ID" sourceType="ServerVariable" />
        <add logFieldName="crypt-keyexchange" sourceName="CRYPT_KEYEXCHANGE_ALG_ID" sourceType="ServerVariable" />
    </customFields>
</logFile>

When an HTTPS request is processed, the SSL/TLS information will be written to the log file as a hexadecimal value. You can then use the Microsoft documentation for Protocols and Ciphers in order to map the hex values to human-readable names.

Note

Since the log can only be written to after the TLS handshake is successful, you will not be able log HTTPS requests which fail TLS negotiation due to protocol or cipher mismatch. This means that TLS logging is not suitable for troubleshooting purposes. However, it can be used to provide insight into which protocols are being negotiated when users visit the site.

Next Article > Enabling and Disabling SSL/TLS Protocols in Windows

  • Useful Links
  • SMB
  • Enterprise
  • Channel
  • Public Sector
  • ANS Data Centres
  • About ANS
  • Careers
  • Blog
  • Get in touch
  •  
  • Sales 0800 458 4545
  • Support 0800 230 0032
  • Get in touch

© ANS Group Limited | Terms and Conditions | Corporate Guidance | Sitemap
ANS Group Limited, registered in England and Wales, company registration number 03176761, registered office 1 Archway, Birley Fields, Manchester M15 5QJ