[squid-users] 3.5.8 — SSL Bump questions
Dan Charlesworth
dan at getbusi.com
Thu Sep 10 01:06:18 UTC 2015
Thanks for all the info here, people.
This is probably because of some other dumb thing I’m doing in my ssl_bump config, but if I change ssl_bump peek step1 to ssl_bump peek all, I get this assertion failure:
PeerConnector.cc:747: "!callback"
> On 9 Sep 2015, at 6:59 pm, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
> On 9/09/2015 7:39 p.m., Jason Haar wrote:
>> On 08/09/15 20:32, Amos Jeffries wrote:
>>> The second one is a fake CONNECT generated internally by Squid using
>> Is it too late to propose that intercepted SSL transactions be logged as
>> something besides "CONNECT"? I know I find it confusing - and so do
>> others. I appreciate the logic behind it - but people are people :-)
>>
>
> Yeah. theres people - they need to stop looking at the *HTTP messages
> log* and thinking it says anything about bumping. All it says this the
> *side effects* of bumping which happen in the HTTP layer.
>
> Then there is the actual log processing software. And access.log is an
> HTTP transaction log, the detail being logged is the HTTP method being
> enacted by the HTTP software (Squid).
>
>
> TLS/SSL is a different protocol to HTTP. It should not be warped into
> HTTP log syntax. Trying to do so is what is confusing you. And the HTTP
> side effects are not clear.
>
>
> Try this (a log for the actual TLS / SSL-bump details):
>
> logformat tlslog %tS %6tr %>a:%>p %>la:%>lp \
> %ssl::bump_mode %ssl::>sni %<A/%<a \
> "%ssl::>cert_subject" "%ssl::>cert_issuer"
>
> access_log stdio:/var/log/squid/tls.log tlslog SSL_ports
>
> That is;
> the time things started,
> how long it took in ms,
> the client IP:port,
> server IP:port it was connecting to (might be Squid),
> the bumping mode squid was doing,
> SNI (if any),
> the server actually connected to (FQDN and IP),
> the cert details that server presented.
>
> I'm not sure which format code gets populated with SSL error details
> when cert validation fails. That should be added on the end too.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list