Search squid archive

Re: debugging ssl-bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 19/07/17 05:02, Marcus Kool wrote:
I am trying to debug ssl-bump and am looking specifically for decisions that Squid takes with regard to bumping, splicing and unsupported protocol. 

The config file for Squid 4.0.21 has

debug_options ALL,1 33,9 83,9
Section 28 is probably where you want to look for the splice detail since it is an access control action decision point. 

There are a few TLS details going to 81, but mostly for server connections.
You may also want to include the TCP level I/O details in section 5 if the section 83 OpenSSL BIO is not enough.
And the 11,2 trace of when HTTP(S) messages are arriving can be useful to trace when and what Squid is managing to decrypt.
And section 26 for CONNECT tunnel handling. Which may show when/how splice or on_unsupported_protocol are being handled. 

Amos




http_port 10.10.10.1:3230        ssl-bump ...
acl tls_is_skype ssl::server_name "/var/ufdbguard/blacklists/chat/skype/iplist" 
acl tls_is_skype ssl::server_name .skype.com
acl tls_allowed_hsts ssl::server_name www.google.com
acl tls_urlfilterdb ssl::server_name www.urlfilterdb.com
acl tls_server_is_bank ssl::server_name .abnamro.nl
acl tls_server_is_bank ssl::server_name .abnamro.com
acl tls_to_splice any-of tls_allowed_hsts tls_urlfilterdb tls_server_is_bank tls_is_skype 

ssl_bump splice tls_to_splice
ssl_bump stare  all
ssl_bump bump   all

on_unsupported_protocol tunnel all

But I fail to see in cache.log anything that gives a clue about
- squid decided to splice
- squid decided to bump
- squid decided to treat a connection as "unsupported protocol".
Are there other debug sections than 33 and 83 that need an increased debug level ? what strings do I have to look for in cache.log to understand the above decisions that Squid takes ?
The regular ACL checklist and results I think for that particular tracing. The TLS parser and bumping logic is not all debug traced due to performance-first reasons. Where debugs exist it is usually at a problem/error handling code path initiation. 

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux