[Dovecot] Patch to log the cipher suite used for TLS

Matthias Scheler tron at zhadum.org.uk
Wed Aug 14 09:48:13 EEST 2013


	Hello,

the attached patch for Dovecot 2.2.4 improves the logging to include
information about the cipher suite used for a TLS connection. Here is
an example log line:

Aug 13 21:49:55 colwyn dovecot: imap-login: Login: user=<tron>, method=CRAM-MD5, rip=2001:8b0:114:1::2, lip=2001:8b0:114:1::2, mpid=10567, TLS=<TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)>, session=<ZkEhYtrjSgAgAQiwARQAAQAAAAAAAAAC>

This will e.g. allow you to find out that mobile phones use rather
week cipher suites (128bit keys, no PFS).

There is also something else I noticed. If I switch "mutt" (which generated
the above log line) from using IMAP on port 143 and "STARTTLS" to use IMAPS
on port 993 I get TLS 1.2:

Aug 14 07:44:59 colwyn dovecot: imap-login: Login: user=<tron>, method=CRAM-MD5, rip=2001:8b0:114:1::2, lip=2001:8b0:114:1::2, mpid=1156, TLS=<TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)>, session=<0js/suLj9gAgAQiwARQAAQAAAAAAAAAC>

Not sure why TLS 1.2 is only used in this case. It might be "mutt"
doing that.

	Kind regards

-- 
Matthias Scheler                                  http://zhadum.org.uk/
-------------- next part --------------
$NetBSD$

Log the cipher used by a TLS connection.

--- src/login-common/client-common.c.orig	2013-06-16 22:04:28.000000000 +0100
+++ src/login-common/client-common.c	2013-08-13 21:23:15.000000000 +0100
@@ -506,7 +506,8 @@
 	} else {
 		const char *ssl_state =
 			ssl_proxy_is_handshaked(client->ssl_proxy) ?
-			"TLS" : "TLS handshaking";
+						t_strdup_printf("TLS=<%s>", ssl_proxy_get_security_string(client->ssl_proxy)) :
+						"TLS handshaking";
 		const char *ssl_error =
 			ssl_proxy_get_last_error(client->ssl_proxy);
 


More information about the dovecot mailing list