Add TLS version and cipher to cPanel logs

[sparek-3]

Is it possible to modify the logging format that cPanel services uses (i.e. the stuff logged in /usr/local/cpanel/logs/access_log) to include the TLS protocol version and cipher?

I know you can do this in Apache by adding

%{SSL_PROTOCOL}x %{SSL_CIPHER}x

to the combined LogFormat directive.

Is it possible to make a similar modification to the cPanel logs? Is it possible for server administrators to make this change or is this hardcoded within cPanel some where?

The reason for this, with the upcoming (or suppose to have already passed) death of TLSv1 and TLSv1.1 it might be beneficial to see what accounts are still using TLSv1 and TLSv1.1 browsers/OSs so they can be nudged to upgrade their system (a futile task anyway). But I didn't see any way to modify this for cPanel web-services, just wondering if I missed the option some where.

 

[cPanelLauren]

Hi @sparek-3

That's a great idea but it's not possible to make modifications to the cPanel access_logs in the same manner due to the fact the data for that is hardcoded in our binaries. I think it'd be a really useful feature request though. I'd say use the link in my signature to open a feature request then let us know the link so we can all vote on it too.

Thanks!

 

[sparek-3]

Would probably lose it's luster before it gets through the requisite feature request bureaucracy.

The main point would be to identify those users that are still using browsers/OSs that rely on TLSv1 and TLSv1.1 (and there's a ton of them) before the recommended PCI deadline of June 30, 2018 (oops! that's already passed ... yes, I'm being sarcastic at everyone's viewpoint toward security recommendations).

I'll just modify the Apache combined log to show this and have users visit a dummy Apache served page to see what TLS version they are using. Seems simpler this way.

 

[cPanelLauren]

I understand, if you do decide to open it for some reason, please let us know.


Thanks!