On 09/27/2018 02:43 AM, Ralf Hildebrandt wrote: > I recompiled my squid-5 with openssl and added > > ssl_bump peek all > ssl_bump splice all > > to my squid.conf. What logging should I expect to verify it's actually > working? Logging %ssl:bump_mode may be a good idea. For a particular _spliced_ transaction, logging the server-provided certificate details (e.g., %ssl::<cert_subject) would confirm that Squid peeked at the certificate before splicing. Besides %ssl:bump_mode, reliably distinguishing spliced connections from bumped connections is difficult AFAICT because Squid does not have a %code for Squid-sent server certificate details. Please note that a successful splice using your configuration should result in two CONNECT access.log entries. I am focusing on the second one. See Amos response for more details regarding these two entries. FWIW, I recommend using a few test cases to double check that your verification method (whatever it is) works well for step3 splicing: 1. Successful splice with a trusted TLS server. 2. Failed splice with an untrusted TLS server. 3. Failed splice with a non-TLS (e.g., an HTTP) server. 4. Failed splice with a TLS server rejecting your TLS client. 5. Failed splice with a down server. 6. Failed splice with a server having an unresolvable DNS name. ... HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
