[squid-users] debugging ssl-bump

Amos Jeffries squid3 at treenet.co.nz
Thu Jul 20 01:40:26 UTC 2017 

On 19/07/17 05:02, Marcus Kool wrote:
> 
> I am trying to debug ssl-bump and am looking specifically for decisions 
> that Squid takes with regard to bumping, splicing and unsupported protocol.
> 
> The config file for Squid 4.0.21 has
> 
> debug_options ALL,1 33,9 83,9
> 

Section 28 is probably where you want to look for the splice detail 
since it is an access control action decision point.

There are a few TLS details going to 81, but mostly for server connections.

You may also want to include the TCP level I/O details in section 5 if 
the section 83 OpenSSL BIO is not enough.

And the 11,2 trace of when HTTP(S) messages are arriving can be useful 
to trace when and what Squid is managing to decrypt.

And section 26 for CONNECT tunnel handling. Which may show when/how 
splice or on_unsupported_protocol are being handled.

Amos



> http_port 10.10.10.1:3230        ssl-bump ...
> 
> acl tls_is_skype ssl::server_name 
> "/var/ufdbguard/blacklists/chat/skype/iplist"
> acl tls_is_skype ssl::server_name .skype.com
> acl tls_allowed_hsts ssl::server_name www.google.com
> acl tls_urlfilterdb ssl::server_name www.urlfilterdb.com
> acl tls_server_is_bank ssl::server_name .abnamro.nl
> acl tls_server_is_bank ssl::server_name .abnamro.com
> acl tls_to_splice any-of tls_allowed_hsts tls_urlfilterdb 
> tls_server_is_bank tls_is_skype
> 
> ssl_bump splice tls_to_splice
> ssl_bump stare  all
> ssl_bump bump   all
> 
> on_unsupported_protocol tunnel all
> 
> But I fail to see in cache.log anything that gives a clue about
> - squid decided to splice
> - squid decided to bump
> - squid decided to treat a connection as "unsupported protocol".
> 
> Are there other debug sections than 33 and 83 that need an increased 
> debug level ?
> what strings do I have to look for in cache.log to understand the above 
> decisions that Squid takes ?

The regular ACL checklist and results I think for that particular 
tracing. The TLS parser and bumping logic is not all debug traced due to 
performance-first reasons. Where debugs exist it is usually at a 
problem/error handling code path initiation.

Amos

More information about the squid-users mailing list