Enhanced audit logging support for TLS Session ID and SNI

In today’s security-conscious environment, comprehensive logs are paramount for in-depth troubleshooting and informed decision-making. Recognizing this critical need, NetScaler now enhances its front end and backend logging to include Server Name Indication (SNI) details for both TLS 1.2 and TLS 1.3 sessions. Also, TLS Session ID (for TLS 1.2 sessions) and the TLS 1.3 client tracking ID (for TLS 1.3 sessions) are logged directly in the ns.log. It’s important to note that while TLS Session ID is logged for both front-end and backend, the TLS 1.3 client tracking ID is available in front-end logs only. This enhancement provides the granular visibility essential for maintaining a strong security posture and operational efficiency.

The improved logging covers various SNI and TLS session scenarios, ensuring comprehensive visibility:

• ECH Handshakes: The successfully negotiated SNI name is logged.
• SNI Sent, Disabled on Virtual Server: If a client sends an SNI but it is disabled on the virtual server, NetScaler serves the default certificate (if bound). The event is logged as: Client Req SNI "<Domain name>" -reason "No matching certificate found. Default certificate sent
• SNI Enabled, No Match, “Allow Unknown SNI” Configured: If a client sends an SNI, SNI is enabled, but no matching certificate is found (and “Allow unknown SNI” is configured), NetScaler serves the default certificate (if bound). The event is logged as: Client Req SNI "<Domain Name>" -reason "No matching certificate found. Default certificate sent
• Client Connects Without SNI, SNI Enabled, No Match: When a client connects without SNI, SNI is enabled on the virtual server, and no matching certificate is found, NetScaler rejects the connection. The event is logged as: -Client Req SNI "<Domain Name>" -reason "No matching certificate found
• Successful SNI Match: The client provides an SNI and a corresponding certificate is found, the log shows: -Client Req SNI "<Domain Name>" -reason "Matching certificate found

Enable TLS Session and SNI Logging

To enable the enhanced TLS session ID and SNI logging, configure the sslclientLogs parameter at the appropriate level.

Notes:

• SNI is logged for both TLS 1.2 and TLS 1.3 sessions, on both the front end and the backend.

• The TLS Session ID is specific to TLS 1.2 and is logged for both front end and backend connections.

• For TLS 1.3 sessions, the TLS Session ID is not present. Instead, the TLS 1.3 client tracking ID is logged, but only for front-end connections.

To enable enhanced TLS session ID and SNI logging by using CLI

You can enable sslclientLogs using the set sl command for different entities

1. At the Virtual Server Level (front-end): To enable logging for a specific SSL virtual server set ssl vserver <name> -sslclientLogs ENABLED

2. At the Service Level (Backend): To enable logging for a specific SSL service set ssl service <service_name> -sslclientLogs ENABLED

3. At the Service Group Level (Backend): To enable logging for a specific SSL service group: set ssl serviceGroup <servicegroup_name> -sslclientLogs ENABLED

4. Using SSL Profiles: If SSL profiles are enabled and in use, you can configure logging directly on the profiles.

   • Front end SSL Profile: To enable logging for the default front end SSL profile:
     set ssl profile ns_default_ssl_profile_frontend -sslclientLogs ENABLED If you are using a custom front end SSL profile, replace ns_default_ssl_profile_frontend with the name of your custom profile.
   • Backend SSL Profile: To enable logging for the default backend SSL profile set ssl profile ns_default_ssl_profile_backend -sslclientLogs ENABLED If you are using a custom backend SSL profile, replace ns_default_ssl_profile_backend with the name of your custom profile.

To enable Client Logs for Enhanced SSL Profiles (front-end and back-end) by using GUI

1. Navigate to System > Profiles> SSL Profile.
2. Select the required profile (front-end or backend) and click Edit.
3. In the Basic Settings section, click the pencil icon.
4. Select SSL client Logs.
5. Click OK.

To enable client logs for a virtual server by using GUI

1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
2. Select the SSL virtual server and click Edit.
3. Under Advanced Settings, click SSL Parameters.
4. In the SSL Parameters section, click the pencil icon.
5. Select SSL client Logs.
6. Click OK.

To enable client logs for a service by using GUI

1. Navigate to Traffic Management > Load Balancing > Services
2. Select the service and click Edit.
3. In the SSL Parameters section, click the pencil icon.
4. Select SSL client Logs.
5. Click OK.