[squid-users] No matter what I do I can not get %ssl:>sni (or other %ssl) to log

Alex Rousskov rousskov at measurement-factory.com
Thu Sep 29 23:55:48 UTC 2016


On 09/29/2016 05:44 PM, Michael Pelletier wrote:
> In the squid.conf.documented, it looks like I can log the server
> certificate as well as the client certificate....
> 
> #         %ssl::<cert_subject SSL server certificate DN
> #         %ssl::<cert_issuer SSL server certificate issuer DN                                                                              

Wrong directive? The above %codes were for the external_acl_type
context, not logformat IIRC.

I do not know whether they are still supported in v4 but no longer
documented (which would be a [documentation] bug) or not supported at
all (which would be a [regression] bug).

Alex.


> On Thu, Sep 29, 2016 at 7:09 PM, Michael Pelletier wrote:
> 
>     I misspoke. I am getting %ssl::>sni but not %ssl::<cert_subject or
>     %ssl::<cert_issuer but then clients may not be sending certs out....
> 
>     The doc says is supports server certs but using %ssl::>cert_subject
>     and %ssl::>cert_issuer. gives me a parse error....
> 
>     Note the "<" instead of the ">"
> 
>     On Thu, Sep 29, 2016 at 7:01 PM, Alex Rousskov
>     <rousskov at measurement-factory.com
>     <mailto:rousskov at measurement-factory.com>> wrote:
> 
>         On 09/29/2016 04:50 PM, Michael Pelletier wrote:
> 
>         > I am trying to log some data during the ssl flow.
> 
>         > logformat custom ... %ssl::>sni %ssl::>cert_subject
>         %ssl::>cert_issuer
>         >
>         > Yet I get nothing from any of the %ssl:: entries....
> 
>         Do your users send certificates to Squid? If not,
>         %ssl::>cert_subject
>         %ssl::>cert_issuer should be "-". These %codes are _not_ about the
>         origin server certificate.
> 
>         ssl::>sni is only available during certain SslBump steps. Do you use
>         SslBump? If yes, do you get the corresponding CONNECT entries in
>         your
>         access log (there should be more than one CONNECT per SSL connection
>         IIRC)? What are your ssl_bump rules?
> 
>         Alex.
> 
> 
> 
> 
> *Disclaimer: *Under Florida law, e-mail addresses are public records. If
> you do not want your e-mail address released in response to a public
> records request, do not send electronic mail to this entity. Instead,
> contact this office by phone or in writing.
> 



More information about the squid-users mailing list