On 4/06/2015 6:29 p.m., sp_ wrote: > Hello Amos, > > thank you for your reply. > > Let's take for instance this line: > > 192.168.78.31 - - [04/Jun/2015:09:41:22 +0300] "CONNECT 173.194.122.233:443 HTTP/1.1" 200 0 "-" "-" TCP_DENIED:HIER_NONE > > > I have dumped the traffic passing through the interface on the router during this request. > In client hello in Extension "server_name" I can see the domain: > > Server Name: clients4.google.com In your packet trace look at the details in the TCP SYN packet *only* to see what the Squid CONNECT has available. > > > According to RFC, domain is a must in Client Hello, when SNI is used. Yes. But the ClientHello is not part of a TCP SYN packet - which is what Squid is working with when it does that fake CONNECT message processing. The TLS packets have explicitly not been read into Squid yet in case splice, none, or terminate actions are to be done by the ssl_bump step1 rules. If the bumping is successful there will be other requests from inside the TLS that get logged with the domain etc. For now Squid does not log any of the SSL-bumping process itself. There is an open bug about that now. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
