Squid doesn't use domain name as a request URL in access.log when splice at step 3 occurs

[Garri Djavadyan <garryd@xxxxxxxxx>]

On 2016-11-05 01:15, Alex Rousskov wrote:
> On 11/04/2016 08:06 AM, Garri Djavadyan wrote:
> > On Fri, 2016-11-04 at 17:43 +0500, Garri Djavadyan wrote:
> > > I noticed that Squid doesn't use gathered domain name information for
> > > %ru in access.log when splice action is performed at step 3 for
> > > intercepted traffic.
>
> %ru is about client/user actions. It should be filled with what the
> client sent to Squid. In an intercepting and splicing configuration 
> like
> yours, %>ru (and deprecated %ru) should contain the intended 
> destination
> IP address (at step 1) and SNI, if any, at step 2+.
>
> >  %ru  Request URL from client (historic, filtered for logging)
> > %>ru  Request URL from client
> > %<ru  Request URL sent to server or peer
>
> According to the above, during step 3, %<ru should have SNI sent by
> Squid to the server (if any) or the server IP (otherwise).

I've added the codes %>ru, %<ru and %ssl::bump_mode in the following 
tests.


> > > $ curl https://www.openssl.org/ > /dev/null
>
> > > https_port 3129 intercept ssl-bump ..
> > > logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un 
> > > %Sh/%<a %mt %ssl::>sni
>
>
> > > at step 2:
>
> > > 1478256091.609   1028 172.16.0.21 TAG_NONE/200 0 CONNECT 
> > > 104.124.119.14:443 - HIER_NONE/- - www.openssl.org
> > > 1478256091.609   1026 172.16.0.21 TCP_TUNNEL/200 9807 CONNECT 
> > > www.openssl.org:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
>
> OK.
>
>
> > > at step 3:
>
> > > 1478256303.420    574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT 
> > > 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
>
> Just one record? That in itself is probably a bug!

Yes, I get only one record for splicing at step 3 using Squid 
3.5.22/4.0.16


> Please see whether trunk r14913 (or any later revision) improves or
> fixes this. That revision contains important and potentially relevant
> changes.

I re-tested the case using Squid 4.0.16-20161104-r14917. Now, Squid lost 
it's ability to mark SNI in %ru at step 2 too.
Below are my results:

----------------
| Squid 4.0.16 |
----------------
Config:
https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem 
generate-host-certificates=off
acl StepSplice at_step SslBump2
ssl_bump splice StepSplice
ssl_bump peek all
logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un 
%Sh/%<a %mt %ssl::bump_mode %ssl::>sni %>ru %<ru

Result:
1478346360.722 000415 192.168.6.6 NONE/200 0 CONNECT 173.194.122.224:443 
- HIER_NONE/- - peek google.com 173.194.122.224:443 173.194.122.224:443
1478346360.722 000377 192.168.6.6 TCP_TUNNEL_ABORTED/200 4747 CONNECT 
google.com:443 - ORIGINAL_DST/173.194.122.224 - splice google.com 
google.com:443 google.com:443

-------
Config:
https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem 
generate-host-certificates=off
acl StepSplice at_step SslBump3
ssl_bump splice StepSplice
ssl_bump peek all
logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un 
%Sh/%<a %mt %ssl::bump_mode %ssl::>sni %>ru %<ru

Result:
1478346440.426 000448 192.168.6.6 TCP_TUNNEL_ABORTED/200 4747 CONNECT 
173.194.122.224:443 - ORIGINAL_DST/173.194.122.224 - peek google.com 
173.194.122.224:443 173.194.122.224:443


--------------------------------
| Squid 4.0.16-20161104-r14917 |
--------------------------------
Config:
https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem 
generate-host-certificates=off
acl StepSplice at_step SslBump2
ssl_bump splice StepSplice
ssl_bump peek all
logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un 
%Sh/%<a %mt %ssl::bump_mode %ssl::>sni %>ru %<ru

Result:
1478347007.973 000404 192.168.6.6 TCP_TUNNEL/200 4747 CONNECT 
173.194.122.224:443 - ORIGINAL_DST/173.194.122.224 - peek google.com 
173.194.122.224:443 173.194.122.224:443

--------
Config:
https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem 
generate-host-certificates=off
acl StepSplice at_step SslBump3
ssl_bump splice StepSplice
ssl_bump peek all
logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un 
%Sh/%<a %mt %ssl::bump_mode %ssl::>sni %>ru %<ru

Result:
1478347140.363 000412 192.168.6.6 TCP_TUNNEL/200 4747 CONNECT 
173.194.122.224:443 - ORIGINAL_DST/173.194.122.224 - peek google.com 
173.194.122.224:443 173.194.122.224:443


--------------
The request used in the tests is 'curl https://google.com/ > /dev/null'.

> > It prevents domain name identification when SNI is not provided by a
> > client. For example:
> >
> > Request:
> > $ echo -e "HEAD / HTTP/1.1\nHost: www.openssl.org\n\n" | openssl
> > s_client -quiet -no_ign_eof -connect www.openssl.org:443
> >
> > Result:
> > 1478267428.070    347 172.16.0.21 TCP_TUNNEL/200 235 CONNECT 
> > 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - -
>
> IMO, the lack of a domain name is correct in this %ru case -- the 
> client
> did not send a domain name to Squid!

I got it, thanks. AIUI, there is no code format which could be used to 
represent domain name information gathered from certificate 
(subjectAltName). Am I right?

Thanks.

Garri
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users