[squid-dev] [PATCH] Log SSL Cryptography Parameters

Alex Rousskov rousskov at measurement-factory.com
Sun Dec 13 19:35:40 UTC 2015 

On 12/13/2015 02:16 AM, Amos Jeffries wrote:
> On 11/12/2015 6:36 a.m., Christos Tsantilas wrote:
>> This patch adds the following formatting codes:
>>
>>   %ssl::>negotiated_version
>>   The SSL version of the client-to-Squid connection.
>>
>>   %ssl::<negotiated_version
>>   The SSL version of the Squid-to-server connection.
>>
>>   %ssl::>received_hello_version
>>   The SSL version of the Hello message received from SSL client
>>
>>   %ssl::<received_hello_version
>>   The SSL version of the Hello message received from SSL server.
>>
>>   %ssl::>received_supported_version
>>   The maximum SSL version supported by the the SSL client.
>>
>>   %ssl::<received_supported_version
>>   The maximum SSL version supported by the the SSL server.
>>
>>   %ssl::>cipher
>>   The negotiated cipher of the client-to-Squid connection.
>>
>>   %ssl::<cipher
>>   The negotiated cipher of the Squid-to-server connection.



> There also seems to be a lot of confusion over the meaning of "SSL
> version" in the documentation.

AFAICT, the proposed names and definitions above are significantly
better than what you have proposed below. Specifically,

* The above definitions are correct while yours appear to confuse the
version of a Hello message with the maximum version supported by the agent.

* Spelled-out names reduce the chance of using the wrong version flavor,
emphasize the difference between various versions, and make it easy to
add more versions (e.g., Hello versions sent by Squid).


>  - I suggest:
> 
>   %ssl::<v - Negotiated TLS version on the client connection.
> 
>   %ssl::<cv - ClientHello message version received on the client connection.
> 
>   %ssl::<sv - ServerHello message version sent on the client connection.
> 
> 
>   %ssl::>v - Negotiated TLS version on the last server or peer connection.
> 
>   %ssl::>cv - ClientHello message version sent on the last server or
> peer connection.
> 
>   %ssl::>sv - ServerHello message version received on the last server or
> peer connection.


Thank you,

Alex.

More information about the squid-dev mailing list