ciphers and protocols aren't shown in ssl.log

Hi,

I installed zeek 3.2.2 on CentOS 7 (amd64)

I want to be able to log the ssl ciphers and protocols used on a host so we can get an overview of how many old clients are connecting

However, in the ssl.log, it does not log that information.

[root@zeek current]# ll
insgesamt 68
-rw-r--r--. 1 root zeek 2316 27. Nov 21:44 conn.log
-rw-r--r--. 1 root zeek 581 27. Nov 21:44 dns.log
-rw-r--r--. 1 root zeek 26221 27. Nov 21:43 loaded_scripts.log
-rw-r--r--. 1 root zeek 600 27. Nov 21:44 ntp.log
-rw-r--r--. 1 root zeek 227 27. Nov 21:43 packet_filter.log
-rw-r--r--. 1 root zeek 666 27. Nov 21:44 reporter.log
-rw-r--r--. 1 root zeek 497 27. Nov 21:44 ssl.log
-rw-r--r--. 1 root zeek 686 27. Nov 21:43 stats.log
-rw-r--r--. 1 root zeek 20 27. Nov 21:43 stderr.log
-rw-r--r--. 1 root zeek 188 27. Nov 21:43 stdout.log
-rw-r--r--. 1 root zeek 983 27. Nov 21:44 weird.log
[root@zeek current]# cat ssl.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssl
#open 2020-11-27-21-44-28
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string
1606509862.986251 CCB2e543osaLm9T38 192.168.1.238 52108 aaa.bb.ccc.68 443 - - - server68.domain.org F - - F - - - - - - -

In share/zeek/site/local.zeek

I’ve added

@load protocols/ssl/weak-keys

In
share/zeek/policy/protocols/ssl/weak-keys.zeek

I’ve set
  option tls_minimum_version = TLSv12;

Is there anything else to do?

I run this in a local VMWare Fusion VM.

I connected to the host above via curl -v —tlsv1.0

Rainer

Hi Johanna,

yes, this was it.

I added „zeekargs= -C“ to zeekctl.cfg.

I ran curl outside of the VM and it would just see the connection but not log the SSL details, but once I run curl inside the VM, it sees everything.

Thanks a lot!

Best Regards
Rainer