[squid-users] No matter what I do I can not get %ssl:>sni (or other %ssl) to log

Alex Rousskov rousskov at measurement-factory.com
Thu Sep 29 23:48:01 UTC 2016


On 09/29/2016 05:09 PM, Michael Pelletier wrote:

> The doc says is supports server certs

Which doc? I am reading squid.conf.documented in trunk/v4:

> ssl::>cert_subject
>                 The Subject field of the received client
>                 SSL certificate or a dash ('-')...
> 
> ssl::>cert_issuer
>                 The Issuer field of the received client
>                 SSL certificate or a dash ('-')...

which seems to refer to client certificates, as it should.

Alex.


> 
> On Thu, Sep 29, 2016 at 7:01 PM, Alex Rousskov
> <rousskov at measurement-factory.com
> <mailto:rousskov at measurement-factory.com>> wrote:
> 
>     On 09/29/2016 04:50 PM, Michael Pelletier wrote:
> 
>     > I am trying to log some data during the ssl flow.
> 
>     > logformat custom ... %ssl::>sni %ssl::>cert_subject %ssl::>cert_issuer
>     >
>     > Yet I get nothing from any of the %ssl:: entries....
> 
>     Do your users send certificates to Squid? If not, %ssl::>cert_subject
>     %ssl::>cert_issuer should be "-". These %codes are _not_ about the
>     origin server certificate.
> 
>     ssl::>sni is only available during certain SslBump steps. Do you use
>     SslBump? If yes, do you get the corresponding CONNECT entries in your
>     access log (there should be more than one CONNECT per SSL connection
>     IIRC)? What are your ssl_bump rules?
> 
>     Alex.
> 
> 
> 
> *Disclaimer: *Under Florida law, e-mail addresses are public records. If
> you do not want your e-mail address released in response to a public
> records request, do not send electronic mail to this entity. Instead,
> contact this office by phone or in writing.
> 



More information about the squid-users mailing list