[squid-users] tls_key_log Configuration

Alex Rousskov rousskov at measurement-factory.com
Sun Jan 23 17:40:11 UTC 2022


On 1/23/22 11:10 AM, toma leopold wrote:
> I know squid 6.0 is not out yet but I wanted to try the tls_key_log
> feature. 
> 
> Using:
> 
> tls_key_log stdio:/logfile
> 
> only works partially.
> From client to proxy only TLS 1.2 is negotiated but I get the secret
> values and the random number.
> For proxy to server connections I get the random number from the proxy
> in the log but no secrets. TLS 1.3 is used for this connection.
> Any ideas what could be the issue?

Squid does not support logging of TLS v1.3 secrets yet.

When tls_key_log was initially implemented, Squid did not support the
OpenSSL version that could extract TLS v1.3 connection secrets - OpenSSL
v1.1.1. There is even a corresponding TODO in the code: "Support
SSL_CTX_set_keylog_callback() available since OpenSSL v1.1.1".

IIRC, Squid supports that OpenSSL version now. Thus, support for logging
TLS v1.3 connection secrets can and should be added. When deciding on
the tls_key_log output format, we tried to anticipate TLS v1.3 needs, so
I hope that adding that support will not require serious format changes.

This whole issue is complicated by the fact that it would be much easier
to just rely on the new OpenSSL SSL_CTX_set_keylog_callback() API for
_all_ TLS secret extraction, but we cannot do that for as long as we
have to support earlier OpenSSL versions that lack that API. One of the
reasons we did not push for TLS v1.3 logging during the initial
tls_key_log implementation is my hope that (by the time we start working
on that additional support) Squid master/v6 would no longer have to
support earlier OpenSSL versions.


HTH,

Alex.


More information about the squid-users mailing list