[squid-users] ssl_bump - peek & splice logging IP rather than server name

Alex Rousskov rousskov at measurement-factory.com
Tue Jan 3 23:10:16 UTC 2017


On 01/03/2017 03:41 PM, Eliezer  Croitoru wrote:

> Squid in intercept or tproxy mode will know one thing about the tunnel\connection: IP+port.

... and SSL handshake information when peeking or staring at client/server.


> Since you are using:
>> ssl_bump peek all
>> ssl_bump splice all

> The connections will always be spliced and you will never see any
> url.(are you expecting only the SNI or also the url?)

AFAICT, Mark is expecting Squid to log one of the server names, not the
HTTP request URL.


> I do not know but there might be a code that can report the SNI if exists in the logs.

According to squid.conf.documented, the following logformat %code is
supported in modern Squids:

> ssl::>sni       SSL client SNI sent to Squid. Available only
>                 after the peek, stare, or splice SSL bumping
>                 actions.

This %code is not in the default access.log line format, naturally.

Squid can also analyze CN and other server certificate fields, but there
is no code to log them IIRC.


Please note that the intercepted server IP address, the client-supplied
SNI name, the server-supplied common name (CN), the server-supplied
alternative names, and the host info in the encrypted client HTTP
request, may all be different.

Given the variety of information sources that might supply different
information, it is not clear to me whether %ru should be based on SNI
information when both TCP-level and SNI information is available. Or
should it be based on CN? Or perhaps on CN _unless_ SNI matches one of
the alternative names?? This is a complicated issue; even the smart
server_name ACL needs parameters to clarify what "server name(s)" the
admin really wants to use/trust...

According to Mark's email, %ru uses TCP-level info. We could either
change %ru to use the "latest" info (like the server_name ACL does) or
add a new logformat code that does that while leaving the old %ru and
friends alone. Given the complexity of the issue, the latter may be a
better approach.


HTH,

Alex.

> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Mark Hoare
> Sent: Saturday, December 31, 2016 4:38 PM
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] ssl_bump - peek & splice logging IP rather than server name

> Extract from access log:
>> 1483193882.790    870 <local ip removed> TCP_TUNNEL/200 5620 CONNECT 64.41.200.100:443 - ORIGINAL_DST/64.41.200.100 -

> From the output above I would have expected some of the server name info to get into the access log.

>> http_port 3128
>>
>> https_port 3130 intercept ssl-bump cert=/etc/squid/ssl_cert/squidCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>
>> http_port 3131 intercept ssl-bump cert=/etc/squid/ssl_cert/squidCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

>> ssl_bump peek all
>> ssl_bump splice all



More information about the squid-users mailing list