[squid-users] Very basic peek & splice

Alex Rousskov rousskov at measurement-factory.com
Thu Sep 27 16:07:34 UTC 2018


On 09/27/2018 02:43 AM, Ralf Hildebrandt wrote:
> I recompiled my squid-5 with openssl and added
> 
> ssl_bump peek all
> ssl_bump splice all
> 
> to my squid.conf. What logging should I expect to verify it's actually
> working?

Logging %ssl:bump_mode may be a good idea.

For a particular _spliced_ transaction, logging the server-provided
certificate details (e.g., %ssl::<cert_subject) would confirm that Squid
peeked at the certificate before splicing.

Besides %ssl:bump_mode, reliably distinguishing spliced connections from
bumped connections is difficult AFAICT because Squid does not have a
%code for Squid-sent server certificate details.

Please note that a successful splice using your configuration should
result in two CONNECT access.log entries. I am focusing on the second
one. See Amos response for more details regarding these two entries.


FWIW, I recommend using a few test cases to double check that your
verification method (whatever it is) works well for step3 splicing:

1. Successful splice with a trusted TLS server.
2. Failed splice with an untrusted TLS server.
3. Failed splice with a non-TLS (e.g., an HTTP) server.
4. Failed splice with a TLS server rejecting your TLS client.
5. Failed splice with a down server.
6. Failed splice with a server having an unresolvable DNS name.
...


HTH,

Alex.


More information about the squid-users mailing list