Search squid archive

Re: 3.5.8 — SSL Bump questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/09/15 20:32, Amos Jeffries wrote:
> The second one is a fake CONNECT generated internally by Squid using
Is it too late to propose that intercepted SSL transactions be logged as
something besides "CONNECT"? I know I find it confusing - and so do
others. I appreciate the logic behind it - but people are people :-)

How about  (for intercepted SSL)

PEEKED 1.2.3.4:443
GET https://github.com/image.txt

vs

PEEKED 5.6.7.8:443
SPLICED google.com:443

This way we could have a squid server that does transparent SSL plus
formal proxy (on different ports of course) and CONNECT/PEEKED/SPLICED
would enable the admin to tell the difference between a formal proxy
session and an intercepted one. ie the same transactions via formal
proxy would be

CONNECT github.com:443
GET https://github.com/image.txt

vs

CONNECT google.com:443
SPLICED google.com:443

I guess with my logging format, log parsers would skip all
PEEKED/CONNECT lines as redundant (although they're useful for us humans)

Yeah, it would break existing logging tools - but so does the "GET
https://..."; stuff anyway - so they need updating too ;-)

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux