TLS parsing not working with mod_gnutls

allinurl / goaccess

GoAccess is a real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser.

https://goaccess.io

MIT License

18.12k stars 1.1k forks source link

Closed Forza-tng closed 2 years ago

Forza-tng commented 3 years ago

Hi!

I noticed that TLS parsing doesn't work with my Apache server. I'm using mod_gnutls and it outputs this in access.log

"TLS1.3" "ECDHE_RSA_CHACHA20_POLY1305"

Log-format is

log-format %v %h %^[%d %t.%f %^%^] "%r" %s %b "%K" "%k" "%R" "%u"
date-format %Y-%m-%d
time-format %H:%M:%S

Looking at #1967 I think there is a missing 'v' in TLS1. 3 and the cipher suites uses '_' instead of '-'.

Forza-tng commented 3 years ago

I checked the source and it is indeed a simple string check for TLSv1. 1 etc.

allinurl commented 2 years ago

Thanks for reporting this. Sorry a bit confused, are you saying the issue is related to _ vs -?

allinurl commented 2 years ago

okay so I just tried this and it's not outputting anything on that panel because of TLS1.3 not having the common v on it, e.g., TLSv1.3.

I could simply add TLS1.1 TLS1.2 TLS1.3 but I wonder what's the standard here... any thoughts?

allinurl commented 2 years ago

I've added TLS1.1 TLS1.2 TLS1.3 to the list upstream. It will be pushed out in the upcoming release. Stay tuned.

Closing this. Feel free to reopen it if needed. Thanks

Forza-tng commented 2 years ago

Thanks for reporting this. Sorry a bit confused, are you saying the issue is related to _ vs -?

I originally thought that GoAccess also checked for the cipher suites. Openssl uses - in the names and gnutls uses _.

allinurl commented 2 years ago

It does, but only when it's given as version of it, e.g.,

"ciphersuite": 49196 resolves to TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384