Hello,
the attached patch for Dovecot 2.2.4 improves the logging to include
information about the cipher suite used for a TLS connection. Here is
an example log line:
Aug 13 21:49:55 colwyn dovecot: imap-login: Login: user=<tron>,
method=CRAM-MD5, rip=2001:8b0:114:1::2, lip=2001:8b0:114:1::2, mpid=10567,
TLS=<TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)>,
session=<ZkEhYtrjSgAgAQiwARQAAQAAAAAAAAAC>
This will e.g. allow you to find out that mobile phones use rather
week cipher suites (128bit keys, no PFS).
There is also something else I noticed. If I switch "mutt" (which generated
the above log line) from using IMAP on port 143 and "STARTTLS" to use IMAPS
on port 993 I get TLS 1.2:
Aug 14 07:44:59 colwyn dovecot: imap-login: Login: user=<tron>,
method=CRAM-MD5, rip=2001:8b0:114:1::2, lip=2001:8b0:114:1::2, mpid=1156,
TLS=<TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)>,
session=<0js/suLj9gAgAQiwARQAAQAAAAAAAAAC>
Not sure why TLS 1.2 is only used in this case. It might be "mutt"
doing that.
Kind regards
--
Matthias Scheler http://zhadum.org.uk/
$NetBSD$
Log the cipher used by a TLS connection.
--- src/login-common/client-common.c.orig 2013-06-16 22:04:28.000000000
+0100
+++ src/login-common/client-common.c 2013-08-13 21:23:15.000000000 +0100
@@ -506,7 +506,8 @@
} else {
const char *ssl_state =
ssl_proxy_is_handshaked(client->ssl_proxy) ?
- "TLS" : "TLS handshaking";
+ t_strdup_printf("TLS=<%s>",
ssl_proxy_get_security_string(client->ssl_proxy)) :
+ "TLS handshaking";
const char *ssl_error =
ssl_proxy_get_last_error(client->ssl_proxy);
