[squid-users] Squid doesn't use domain name as a request URL in access.log when splice at step 3 occurs

Garri Djavadyan garryd at comnet.uz
Sat Nov 5 12:28:20 UTC 2016 

On 2016-11-05 01:15, Alex Rousskov wrote:
> On 11/04/2016 08:06 AM, Garri Djavadyan wrote:
>> On Fri, 2016-11-04 at 17:43 +0500, Garri Djavadyan wrote:
>>> I noticed that Squid doesn't use gathered domain name information for
>>> %ru in access.log when splice action is performed at step 3 for
>>> intercepted traffic.
> 
> %ru is about client/user actions. It should be filled with what the
> client sent to Squid. In an intercepting and splicing configuration 
> like
> yours, %>ru (and deprecated %ru) should contain the intended 
> destination
> IP address (at step 1) and SNI, if any, at step 2+.
> 
>>  %ru  Request URL from client (historic, filtered for logging)
>> %>ru  Request URL from client
>> %<ru  Request URL sent to server or peer
> 
> According to the above, during step 3, %<ru should have SNI sent by
> Squid to the server (if any) or the server IP (otherwise).

I've added the codes %>ru, %<ru and %ssl::bump_mode in the following 
tests.


>>> $ curl https://www.openssl.org/ > /dev/null
> 
>>> https_port 3129 intercept ssl-bump ..
>>> logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un 
>>> %Sh/%<a %mt %ssl::>sni
> 
> 
>>> at step 2:
> 
>>> 1478256091.609   1028 172.16.0.21 TAG_NONE/200 0 CONNECT 
>>> 104.124.119.14:443 - HIER_NONE/- - www.openssl.org
>>> 1478256091.609   1026 172.16.0.21 TCP_TUNNEL/200 9807 CONNECT 
>>> www.openssl.org:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
> 
> OK.
> 
> 
>>> at step 3:
> 
>>> 1478256303.420    574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT 
>>> 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
> 
> Just one record? That in itself is probably a bug!

Yes, I get only one record for splicing at step 3 using Squid 
3.5.22/4.0.16


> Please see whether trunk r14913 (or any later revision) improves or
> fixes this. That revision contains important and potentially relevant
> changes.

I re-tested the case using Squid 4.0.16-20161104-r14917. Now, Squid lost 
it's ability to mark SNI in %ru at step 2 too.
Below are my results:

----------------
| Squid 4.0.16 |
----------------
Config:
https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem 
generate-host-certificates=off
acl StepSplice at_step SslBump2
ssl_bump splice StepSplice
ssl_bump peek all
logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un 
%Sh/%<a %mt %ssl::bump_mode %ssl::>sni %>ru %<ru

Result:
1478346360.722 000415 192.168.6.6 NONE/200 0 CONNECT 173.194.122.224:443 
- HIER_NONE/- - peek google.com 173.194.122.224:443 173.194.122.224:443
1478346360.722 000377 192.168.6.6 TCP_TUNNEL_ABORTED/200 4747 CONNECT 
google.com:443 - ORIGINAL_DST/173.194.122.224 - splice google.com 
google.com:443 google.com:443

-------
Config:
https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem 
generate-host-certificates=off
acl StepSplice at_step SslBump3
ssl_bump splice StepSplice
ssl_bump peek all
logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un 
%Sh/%<a %mt %ssl::bump_mode %ssl::>sni %>ru %<ru

Result:
1478346440.426 000448 192.168.6.6 TCP_TUNNEL_ABORTED/200 4747 CONNECT 
173.194.122.224:443 - ORIGINAL_DST/173.194.122.224 - peek google.com 
173.194.122.224:443 173.194.122.224:443


--------------------------------
| Squid 4.0.16-20161104-r14917 |
--------------------------------
Config:
https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem 
generate-host-certificates=off
acl StepSplice at_step SslBump2
ssl_bump splice StepSplice
ssl_bump peek all
logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un 
%Sh/%<a %mt %ssl::bump_mode %ssl::>sni %>ru %<ru

Result:
1478347007.973 000404 192.168.6.6 TCP_TUNNEL/200 4747 CONNECT 
173.194.122.224:443 - ORIGINAL_DST/173.194.122.224 - peek google.com 
173.194.122.224:443 173.194.122.224:443

--------
Config:
https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem 
generate-host-certificates=off
acl StepSplice at_step SslBump3
ssl_bump splice StepSplice
ssl_bump peek all
logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un 
%Sh/%<a %mt %ssl::bump_mode %ssl::>sni %>ru %<ru

Result:
1478347140.363 000412 192.168.6.6 TCP_TUNNEL/200 4747 CONNECT 
173.194.122.224:443 - ORIGINAL_DST/173.194.122.224 - peek google.com 
173.194.122.224:443 173.194.122.224:443


--------------
The request used in the tests is 'curl https://google.com/ > /dev/null'.

>> It prevents domain name identification when SNI is not provided by a
>> client. For example:
>> 
>> Request:
>> $ echo -e "HEAD / HTTP/1.1\nHost: www.openssl.org\n\n" | openssl
>> s_client -quiet -no_ign_eof -connect www.openssl.org:443
>> 
>> Result:
>> 1478267428.070    347 172.16.0.21 TCP_TUNNEL/200 235 CONNECT 
>> 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - -
> 
> IMO, the lack of a domain name is correct in this %ru case -- the 
> client
> did not send a domain name to Squid!

I got it, thanks. AIUI, there is no code format which could be used to 
represent domain name information gathered from certificate 
(subjectAltName). Am I right?

Thanks.

Garri

More information about the squid-users mailing list