SSL Client Cipher in Application Logs on Avi Vantage

Overview

Starting with 18.1.4, Avi Vantage supports capturing of SSL client’s ciphers details in the application logs on Avi Vantage. Avi Vantage records ciphers sent by a client in the client hello SSL packet. The ciphers details used to establish an SSL connection with a virtual service is available in the application log.

No Shared Ciphers Error

When a client uses a cipher that is not supported, the virtual service closes the connection with the error No Shared Cipher in the application log. The following are the reasons for the No Shared Cipher error:

  • The client sends a cipher(s) that is not configured in the virtual service’s SSL profile.
  • The client sends a cipher(s) that does not match the certificate’s authentication type on the virtual service.
    • For example, the client sends ECDSA ciphers when the virtual service has only an RSA certificate configured.
  • The client sends a cipher(s) that does not match the SSL/TLS protocol.
    • For example, the client sends AES256-GCM-SHA394 TLS 1.2 cipher when the virtual service does not have TLS1.2 protocol enabled (even though, the SSL profile has this cipher enabled).

When any one of this issues occurs, it is beneficial to show what ciphers client has sent as part of the client hello. The necessary changes can be performed to the virtual service or the client configuration to fix the problem.
A client sends anywhere between 180-200 ciphers in a client hello, and the server picks one of them.

The cipher selection depends on the various factors like ciphers and protocols enabled, type of the certificate configured, et.c. on the virtual service. When the virtual service is unable to select a single cipher, the SSL connection fails with the error: SSL Error: No Shared Cipher. In such a case, the Avi Vantage records all the ciphers that the client has sent in the application log.

Accessing Client’s Cipher List

The client’s cipher list is accessible through a REST API request for the application log. The identified and unidentified ciphers are checked using the field client_cipher_list within the application log (add location here).

A no shared ciphers SSL error can be fixed by making the necessary changes to the virtual service or client configuration as per the ciphers sent by the client.