[squid-users] 3.5.8 — SSL Bump questions

Jason Haar Jason_Haar at trimble.com
Wed Sep 9 07:39:14 UTC 2015


On 08/09/15 20:32, Amos Jeffries wrote:
> The second one is a fake CONNECT generated internally by Squid using
Is it too late to propose that intercepted SSL transactions be logged as
something besides "CONNECT"? I know I find it confusing - and so do
others. I appreciate the logic behind it - but people are people :-)

How about  (for intercepted SSL)

PEEKED 1.2.3.4:443
GET https://github.com/image.txt

vs

PEEKED 5.6.7.8:443
SPLICED google.com:443

This way we could have a squid server that does transparent SSL plus
formal proxy (on different ports of course) and CONNECT/PEEKED/SPLICED
would enable the admin to tell the difference between a formal proxy
session and an intercepted one. ie the same transactions via formal
proxy would be

CONNECT github.com:443
GET https://github.com/image.txt

vs

CONNECT google.com:443
SPLICED google.com:443

I guess with my logging format, log parsers would skip all
PEEKED/CONNECT lines as redundant (although they're useful for us humans)

Yeah, it would break existing logging tools - but so does the "GET
https://..." stuff anyway - so they need updating too ;-)

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



More information about the squid-users mailing list