4.17. Implementing SSL Session Log Filtering

4.17.1. What it is

F5 BIG-IP version 17.1 introduces new SSL session log events and filters, providing greater granularity into SSL-related actions. Each of these can be enabled in an SSL Orchestrator environment to aid in troubleshooting SSL-related issues, and/or to provide enhanced visibility.

  • SSL Forward Proxy events

    • Forged certificate log

      Example:

      Forged server certificate: SHA1: c4:af:…:f0:ef; SN: 6990…4278; Subject: /CN=www.test.com/ST=California/C=US/L=San Jose/emailAddress=kstew@f5.com/O=F5/OU=SSL Test; Certificate: -----BEGIN CERTIFICATE-----\nMIID…Kjik=\n-----END CERTIFICATE-----\n
      
    • Forged certificate forgery success log (log_level >= info)

      Example:

      SSL certificate forgery succeeded from server cert for TCP 10.10.10.3:35458 -> 10.192.225.176:22224 entity: server SID: d0ef…0e15 original-cert-sha1: 71:4b:…:59:38 original-cert-dn: /CN=www.test.com/ST=California/C=US/L=San Jose/emailAddress=kstew@f5.com/O=F5/OU=SSL Test
      
    • Embedded CA certificate forgery usage log (log_level >= info)

      Example:

      Private key of /Common/default.crt is accessed to forge certificate for SSL forward proxy CA for TCP 10.10.10.3:35458 -> 10.192.225.176:22224 entity: server SID: d0ef…0e15
      
    • Embedded CA OCSP signage use log (log_level >= info)

      Example:

      Private key is accessed to issue OCSP signing certificate
      
    • SSL bypass invocation log (log_level >= info)

      Example:

      SSL traffic bypassed (missing STIP inspect consent) for TCP 10.10.10.3:37878 -> 10.192.225.0:22224 entity: server SID: N/A
      
    • SSL dynamic bypass invocation log (log_level >= warning)

      Example:

      SSL traffic bypassed (unsupported version alert(70)) for TCP 10.10.10.3:35534 -> 10.192.225.176:22224 entity: server SID: a07f…5e25
      
  • SSL handshake events

    • Handshake details log (log_level >= info)

      Example:

      SSL Handshake details for TCP 10.192.225.176:22224 -> 10.192.236.95:35458 entity: client SID: 990a…5b51 version: TLSv1.2 cipher-suite: ECDHE-RSA-AES128-GCM-SHA256 key-exchange: 70 bytes client-cert-sha1: N/A server-cert-sha1: 71:4b:…:59:38 mutual-authentication: false
      
    • TLSv1.3 session ticket log (log_level >= info)

      Example:

      Session Ticket replaced for TCP 10.10.10.3:35462 -> 10.192.225.176:22224 entity: server old-SID: cee0…53dd new-SID: 32cc…f6ca version: TLSv1.3
      
  • SSL client authentication events

    • Mutual authentication authorization log (log_level >= info)

      Example:

      SSL mutual authentication authorized for TCP 10.192.225.176:22224 -> 10.192.236.95:35530 entity: client SID: ddd2…23e7 client-cert-sha1: 32:82:…:e3:ee client-cert-dn: /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
      
  • C3D (Client certificate Constrained Delegation) events

    • Successful client certificate forgery log (log_level >= info)

      Example:

      SSL certificate forgery succeeded from client cert for TCP 10.192.225.176:22223 -> 10.192.236.95:56778 entity: client SID: 2266…da03 original-cert-sha1: b7:af:…:86:63 original-cert-dn: /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
      

4.17.2. How to build it

The above SSL session log events are functions of client and server SSL profiles, and can be viewed according:

tmsh list ltm profile client-ssl my-clientssl-profile all-properties |grep log

output:
   log-publisher sys-ssl-publisher
   log-ssl-c3d-events warn
   log-ssl-client-authentication-events warn
   log-ssl-forward-proxy-events warn
   log-ssl-handshake-events warn

By default, each of the new SSL session log events are set to Warning (warn), but in most cases must be set to Informational (info) or higher to enable.

tmsh modify ltm profile client-ssl my-clientssl-profile log-ssl-handshake-events info

These settings are also directly accessible via the client and server SSL properties in the BIG-IP UI:

../../_images/image1041.png

Figure 104: SSL session logging properties


The “ssl-c3d”, “ssl-forward-proxy”, and “ssl-handshake” options are also available as log filter sources (System -> Logs -> Configuration -> Log Filters).