I have enabled TLS connection logging in my Azure cloud service to find out what TLS version my clients are using, following the guidance here - https://www.microsoft.com/security/blog/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/
However I notice quite a few entries with all the four fields set to empty. I see requests from few clients with the TLS1.2 (crypt-protocol = 400) and some requests from same clients with crypt-protocol set to empty. The volume is quite low, however I was wondering why would those entries be logged? My hunch is just an edge case or error case in IIS where it logs a default empty value. Or would it be because IIS was not able to figure out the protocol the connection is using?
I want to disable TLS versions older than 1.2 on my server and hence need to find out. Looking at the volume, I should probably be good to just disable, but wanted to see if the community has more insights and if this is due to genuine reasons, probably reach out to the clients to get it fixed before turning off older TLS versions.
Edit: The value is empty and not "-".
Below is the iis custom log field:
CRYPT_PROTOCOL
CRYPT_CIPHER_ALG_ID
CRYPT_HASH_ALG_ID
CRYPT_KEYEXCHANGE_ALG_ID
This functionality actually not supported by the Azure App Services.
Logging TLS related data in IIS logs for Azure App Service
https://www.microsoft.com/security/blog/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/