On 02/15/2018 07:32 AM, Amos Jeffries wrote: > On 16/02/18 01:44, Peter Viskup wrote: >> Running squid version 4.0.23 with logformat including >> >> SSLBumpMode=%ssl::bump_mode SSLSNI="%ssl::>sni" >> SSLClientProto="%ssl::>negotiated_version" >> SSLServerProto="%ssl::<negotiated_version" >> SSLBumpClientCipher="%ssl::>negotiated_cipher" >> SSLBumpServerCipher="%ssl::<negotiated_cipher" >> SSLBumpSubject="%ssl::<cert_subject" >> SSLBumpIssuer="%ssl::<cert_issuer" >> >> and ssl_bump configured simply with >> >> ssl_bump bump all >> http_access allow all >> >> the messages still logged with dashes for Subject and Issuer values >> >> SSLBumpMode=bump SSLSNI="www.google.sk" SSLClientProto="TLS/1.0" SSLServerProto >> ="TLS/1.2" SSLBumpClientCipher="ECDHE-RSA-AES256-SHA" >> SSLBumpServerCipher="ECDHE-RSA-AES128-GCM-SHA256" SSLBumpSubject="-" >> SSLBumpIssuer="-" >> >> I am doing something wrong or did I overlooked something? > You told Squid to "bump all" which, by itself, means bump immediately > after client Hello arrives. In other words, you are doing a rough equivalent of the ancient client-first bumping. To tell Squid to look at the client and server TLS handshake messages (including the server certificate) before bumping the connection, use something like this: ssl_bump stare all ssl_bump bump all > So there is no server cert to get details > from until after bumping finishes The log message contains a server cipher (%ssl::<negotiated_cipher) so Squid ought to know the certificate as well. The missing certificate in this context sounds like a bug or a missing feature to me: Either the server cipher should not be logged (if Squid did not see the origin handshake yet) or both the cipher and the certificate details should be logged. The only exception I could think of is a TLS negotiation error where the server sends the cipher but not the certificate. The above problem may not be important if, in fact, you did not actually want to use client-first bumping (which usually does not work well), _and_ staring at the server (i.e., stare all) logs the information you want. However, that does not mean the problem is not there. HTH, Alex. P.S. Your log entries will be malformed if certificate subject or issuer contains a quote character. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
