[squid-users] 3.5.8 — SSL Bump questions

Alex Rousskov rousskov at measurement-factory.com
Thu Sep 10 02:29:09 UTC 2015


On 09/09/2015 07:06 PM, Dan Charlesworth wrote:

> if I change ssl_bump peek step1 to ssl_bump peek all, I get this assertion failure:
> 
> PeerConnector.cc:747: "!callback"

Please see http://bugs.squid-cache.org/show_bug.cgi?id=4303

Alex.



>> On 9 Sep 2015, at 6:59 pm, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>>
>> On 9/09/2015 7:39 p.m., Jason Haar wrote:
>>> On 08/09/15 20:32, Amos Jeffries wrote:
>>>> The second one is a fake CONNECT generated internally by Squid using
>>> Is it too late to propose that intercepted SSL transactions be logged as
>>> something besides "CONNECT"? I know I find it confusing - and so do
>>> others. I appreciate the logic behind it - but people are people :-)
>>>
>>
>> Yeah.  theres people - they need to stop looking at the *HTTP messages
>> log* and thinking it says anything about bumping. All it says this the
>> *side effects* of bumping which happen in the HTTP layer.
>>
>> Then there is the actual log processing software. And access.log is an
>> HTTP transaction log, the detail being logged is the HTTP method being
>> enacted by the HTTP software (Squid).
>>
>>
>> TLS/SSL is a different protocol to HTTP. It should not be warped into
>> HTTP log syntax. Trying to do so is what is confusing you. And the HTTP
>> side effects are not clear.
>>
>>
>> Try this (a log for the actual TLS / SSL-bump details):
>>
>> logformat tlslog %tS %6tr %>a:%>p %>la:%>lp \
>>  %ssl::bump_mode %ssl::>sni %<A/%<a \
>>  "%ssl::>cert_subject" "%ssl::>cert_issuer"
>>
>> access_log stdio:/var/log/squid/tls.log tlslog SSL_ports
>>
>> That is;
>> the time things started,
>> how long it took in ms,
>> the client IP:port,
>> server IP:port it was connecting to (might be Squid),
>> the bumping mode squid was doing,
>> SNI (if any),
>> the server actually connected to (FQDN and IP),
>> the cert details that server presented.
>>
>> I'm not sure which format code gets populated with SSL error details
>> when cert validation fails. That should be added on the end too.
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list