[squid-users] No matter what I do I can not get %ssl:>sni (or other %ssl) to log
Alex Rousskov
rousskov at measurement-factory.com
Thu Sep 29 23:48:01 UTC 2016
On 09/29/2016 05:09 PM, Michael Pelletier wrote:
> The doc says is supports server certs
Which doc? I am reading squid.conf.documented in trunk/v4:
> ssl::>cert_subject
> The Subject field of the received client
> SSL certificate or a dash ('-')...
>
> ssl::>cert_issuer
> The Issuer field of the received client
> SSL certificate or a dash ('-')...
which seems to refer to client certificates, as it should.
Alex.
>
> On Thu, Sep 29, 2016 at 7:01 PM, Alex Rousskov
> <rousskov at measurement-factory.com
> <mailto:rousskov at measurement-factory.com>> wrote:
>
> On 09/29/2016 04:50 PM, Michael Pelletier wrote:
>
> > I am trying to log some data during the ssl flow.
>
> > logformat custom ... %ssl::>sni %ssl::>cert_subject %ssl::>cert_issuer
> >
> > Yet I get nothing from any of the %ssl:: entries....
>
> Do your users send certificates to Squid? If not, %ssl::>cert_subject
> %ssl::>cert_issuer should be "-". These %codes are _not_ about the
> origin server certificate.
>
> ssl::>sni is only available during certain SslBump steps. Do you use
> SslBump? If yes, do you get the corresponding CONNECT entries in your
> access log (there should be more than one CONNECT per SSL connection
> IIRC)? What are your ssl_bump rules?
>
> Alex.
>
>
>
> *Disclaimer: *Under Florida law, e-mail addresses are public records. If
> you do not want your e-mail address released in response to a public
> records request, do not send electronic mail to this entity. Instead,
> contact this office by phone or in writing.
>
More information about the squid-users
mailing list