[squid-users] 3.5.8 — SSL Bump questions
Jason Haar
Jason_Haar at trimble.com
Wed Sep 9 07:39:14 UTC 2015
On 08/09/15 20:32, Amos Jeffries wrote:
> The second one is a fake CONNECT generated internally by Squid using
Is it too late to propose that intercepted SSL transactions be logged as
something besides "CONNECT"? I know I find it confusing - and so do
others. I appreciate the logic behind it - but people are people :-)
How about (for intercepted SSL)
PEEKED 1.2.3.4:443
GET https://github.com/image.txt
vs
PEEKED 5.6.7.8:443
SPLICED google.com:443
This way we could have a squid server that does transparent SSL plus
formal proxy (on different ports of course) and CONNECT/PEEKED/SPLICED
would enable the admin to tell the difference between a formal proxy
session and an intercepted one. ie the same transactions via formal
proxy would be
CONNECT github.com:443
GET https://github.com/image.txt
vs
CONNECT google.com:443
SPLICED google.com:443
I guess with my logging format, log parsers would skip all
PEEKED/CONNECT lines as redundant (although they're useful for us humans)
Yeah, it would break existing logging tools - but so does the "GET
https://..." stuff anyway - so they need updating too ;-)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the squid-users
mailing list