4

I am planning on disabling TLSV1 on an apache 2.4 server running on Ubuntu 14.04. Before doing this I thought it would be good to analyse how many users this would impact. I've read through the apache log documentation, which should allow me to log environment variables.

http://httpd.apache.org/docs/2.4/mod/mod_log_config.html

I have a RewriteRule I set up redirect users with TLSV1 which works fine, this rule looks like this.

 RewriteCond %{SSL:SSL_PROTOCOL} ^TLSv1$ RewriteRule ^/test* /bad-ssl.html [L]

Which works perfectly. However I cannot get the log module to write SSl environment variables.

 CustomLog ${APACHE_LOG_DIR}/ssl.log "%a \"%{SSL_PROTOCOL}e\" \"%{SSL:SSL_PROTOCOL}e\" \"%{evn:SSL_PROTOCOL}e\""

What am I missing?

Improve this question

1 Answer 1

Reset to default
4

The variable SSL_PROTOCOL (and all other mod_ssl variables) is technically not an environment variable, therefore

"%{VARNAME}e"

won't work.

According to http://httpd.apache.org/docs/2.4/mod/mod_ssl.html (Section Custom Log Formats) you have to use the syntax:

"%{VARNAME}x"

for SSL variables. To modify your config, it should read:

CustomLog ${APACHE_LOG_DIR}/ssl.log "%a \"%{SSL_PROTOCOL}x\""

I assume SSL:SSL_PROTOCOL and evn:SSL_PROTOCOL were just attempts to achieve the same.

Improve this answer
1
  • Perfect many thanks. You're correct about my attempts with env: etc... Commented Jan 28, 2016 at 10:42

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.