[squid-users] squid4 with sslbump not logged server side cert_subject and cert_issuer

Peter Viskup skupko.sk at gmail.com
Fri Feb 16 10:54:18 UTC 2018 

On Thu, Feb 15, 2018 at 7:41 PM, Alex Rousskov
<rousskov at measurement-factory.com> wrote:
> On 02/15/2018 07:32 AM, Amos Jeffries wrote:
>> On 16/02/18 01:44, Peter Viskup wrote:
>>> Running squid version 4.0.23 with logformat including
>>>
>>> SSLBumpMode=%ssl::bump_mode SSLSNI="%ssl::>sni"
>>> SSLClientProto="%ssl::>negotiated_version"
>>> SSLServerProto="%ssl::<negotiated_version"
>>> SSLBumpClientCipher="%ssl::>negotiated_cipher"
>>> SSLBumpServerCipher="%ssl::<negotiated_cipher"
>>> SSLBumpSubject="%ssl::<cert_subject"
>>> SSLBumpIssuer="%ssl::<cert_issuer"
>>>
>>> and ssl_bump configured simply with
>>>
>>> ssl_bump bump all
>>> http_access allow all
>>>
>>> the messages still logged with dashes for Subject and Issuer values
>>>
>>> SSLBumpMode=bump SSLSNI="www.google.sk" SSLClientProto="TLS/1.0" SSLServerProto
>>> ="TLS/1.2" SSLBumpClientCipher="ECDHE-RSA-AES256-SHA"
>>> SSLBumpServerCipher="ECDHE-RSA-AES128-GCM-SHA256" SSLBumpSubject="-"
>>> SSLBumpIssuer="-"
>>>
>>> I am doing something wrong or did I overlooked something?
>> You told Squid to "bump all" which, by itself, means bump immediately
>> after client Hello arrives.
>
> In other words, you are doing a rough equivalent of the ancient
> client-first bumping. To tell Squid to look at the client and server TLS
> handshake messages (including the server certificate) before bumping the
> connection, use something like this:
>
>   ssl_bump stare all
>   ssl_bump bump all

Confirm with these two lines the cert information is logged as expected.
Will read the wiki once more.

> The log message contains a server cipher (%ssl::<negotiated_cipher) so
> Squid ought to know the certificate as well. The missing certificate in
> this context sounds like a bug or a missing feature to me: Either the
> server cipher should not be logged (if Squid did not see the origin
> handshake yet) or both the cipher and the certificate details should be
> logged. The only exception I could think of is a TLS negotiation error
> where the server sends the cipher but not the certificate.
>
> The above problem may not be important if, in fact, you did not actually
> want to use client-first bumping (which usually does not work well),
> _and_ staring at the server (i.e., stare all) logs the information you
> want. However, that does not mean the problem is not there.

I do not want to use client-first bump and thus the issue solved by stare&bump.
Thank you.

More information about the squid-users mailing list