Add variable to log which TLS certificate was used

[lapo-luchini]

When using multiple ssl_ciphers (usually: RSA + ECDSA), it seems ot me that's impossible to know (and/or log) which was was used for a specific connection or, at least, I cannot find a variable reporting that value.

This is because it seems to me that nowadays most client just support ECC and having RSA+ECDSA dual certificates is overkill, but before dropping them altogether I'd prefer to keep as is for a few more months and log the data, to veryfy how often the RSA one is actually used.

[lonerr]

You can determine this indirectly. Just log $ssl_cipher variable, it should be TLS_*_ECDSA or TLS_*_RSA depending on certificate actually used.

[lapo-luchini]

Mhh, doesn't seem like so: I'm currently logging $ssl_protocol/$ssl_cipher and the output I get is like this:

% egrep -o 'TLSv[^ ]*' access.log | sort | uniq -c | sort -rn | column -t
156144  TLSv1.3/TLS_AES_128_GCM_SHA256
57316   TLSv1.3/TLS_AES_256_GCM_SHA384
4263    TLSv1.2/ECDHE-ECDSA-AES128-GCM-SHA256
3942    TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256
3385    TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384
859     TLSv1.3/TLS_CHACHA20_POLY1305_SHA256
539     TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384
390     TLSv1.2/ECDHE-RSA-CHACHA20-POLY1305

Or rather: partially… seems like it can be deduced in TLSv1.2, but not in TLSv1.3?

[lonerr]

Indeed, modern ciphers use the certificate for authencity check only but not for keys exchange (so both types can be used).
I agree that introducing dedicated variable makes sense.