On Thu, Feb 15, 2018 at 7:41 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > On 02/15/2018 07:32 AM, Amos Jeffries wrote: >> On 16/02/18 01:44, Peter Viskup wrote: >>> Running squid version 4.0.23 with logformat including >>> >>> SSLBumpMode=%ssl::bump_mode SSLSNI="%ssl::>sni" >>> SSLClientProto="%ssl::>negotiated_version" >>> SSLServerProto="%ssl::<negotiated_version" >>> SSLBumpClientCipher="%ssl::>negotiated_cipher" >>> SSLBumpServerCipher="%ssl::<negotiated_cipher" >>> SSLBumpSubject="%ssl::<cert_subject" >>> SSLBumpIssuer="%ssl::<cert_issuer" >>> >>> and ssl_bump configured simply with >>> >>> ssl_bump bump all >>> http_access allow all >>> >>> the messages still logged with dashes for Subject and Issuer values >>> >>> SSLBumpMode=bump SSLSNI="www.google.sk" SSLClientProto="TLS/1.0" SSLServerProto >>> ="TLS/1.2" SSLBumpClientCipher="ECDHE-RSA-AES256-SHA" >>> SSLBumpServerCipher="ECDHE-RSA-AES128-GCM-SHA256" SSLBumpSubject="-" >>> SSLBumpIssuer="-" >>> >>> I am doing something wrong or did I overlooked something? >> You told Squid to "bump all" which, by itself, means bump immediately >> after client Hello arrives. > > In other words, you are doing a rough equivalent of the ancient > client-first bumping. To tell Squid to look at the client and server TLS > handshake messages (including the server certificate) before bumping the > connection, use something like this: > > ssl_bump stare all > ssl_bump bump all Confirm with these two lines the cert information is logged as expected. Will read the wiki once more. > The log message contains a server cipher (%ssl::<negotiated_cipher) so > Squid ought to know the certificate as well. The missing certificate in > this context sounds like a bug or a missing feature to me: Either the > server cipher should not be logged (if Squid did not see the origin > handshake yet) or both the cipher and the certificate details should be > logged. The only exception I could think of is a TLS negotiation error > where the server sends the cipher but not the certificate. > > The above problem may not be important if, in fact, you did not actually > want to use client-first bumping (which usually does not work well), > _and_ staring at the server (i.e., stare all) logs the information you > want. However, that does not mean the problem is not there. I do not want to use client-first bump and thus the issue solved by stare&bump. Thank you. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
