[squid-users] squid4 with sslbump not logged server side cert_subject and cert_issuer

Alex Rousskov rousskov at measurement-factory.com
Thu Feb 15 18:41:37 UTC 2018 

On 02/15/2018 07:32 AM, Amos Jeffries wrote:
> On 16/02/18 01:44, Peter Viskup wrote:
>> Running squid version 4.0.23 with logformat including
>>
>> SSLBumpMode=%ssl::bump_mode SSLSNI="%ssl::>sni"
>> SSLClientProto="%ssl::>negotiated_version"
>> SSLServerProto="%ssl::<negotiated_version"
>> SSLBumpClientCipher="%ssl::>negotiated_cipher"
>> SSLBumpServerCipher="%ssl::<negotiated_cipher"
>> SSLBumpSubject="%ssl::<cert_subject"
>> SSLBumpIssuer="%ssl::<cert_issuer"
>>
>> and ssl_bump configured simply with
>>
>> ssl_bump bump all
>> http_access allow all
>>
>> the messages still logged with dashes for Subject and Issuer values
>>
>> SSLBumpMode=bump SSLSNI="www.google.sk" SSLClientProto="TLS/1.0" SSLServerProto
>> ="TLS/1.2" SSLBumpClientCipher="ECDHE-RSA-AES256-SHA"
>> SSLBumpServerCipher="ECDHE-RSA-AES128-GCM-SHA256" SSLBumpSubject="-"
>> SSLBumpIssuer="-"
>>
>> I am doing something wrong or did I overlooked something?


> You told Squid to "bump all" which, by itself, means bump immediately
> after client Hello arrives. 

In other words, you are doing a rough equivalent of the ancient
client-first bumping. To tell Squid to look at the client and server TLS
handshake messages (including the server certificate) before bumping the
connection, use something like this:

  ssl_bump stare all
  ssl_bump bump all


> So there is no server cert to get details
> from until after bumping finishes

The log message contains a server cipher (%ssl::<negotiated_cipher) so
Squid ought to know the certificate as well. The missing certificate in
this context sounds like a bug or a missing feature to me: Either the
server cipher should not be logged (if Squid did not see the origin
handshake yet) or both the cipher and the certificate details should be
logged. The only exception I could think of is a TLS negotiation error
where the server sends the cipher but not the certificate.

The above problem may not be important if, in fact, you did not actually
want to use client-first bumping (which usually does not work well),
_and_ staring at the server (i.e., stare all) logs the information you
want. However, that does not mean the problem is not there.


HTH,

Alex.
P.S. Your log entries will be malformed if certificate subject or issuer
contains a quote character.

More information about the squid-users mailing list