On 1/23/22 11:10 AM, toma leopold wrote: > I know squid 6.0 is not out yet but I wanted to try the tls_key_log > feature. > > Using: > > tls_key_log stdio:/logfile > > only works partially. > From client to proxy only TLS 1.2 is negotiated but I get the secret > values and the random number. > For proxy to server connections I get the random number from the proxy > in the log but no secrets. TLS 1.3 is used for this connection. > Any ideas what could be the issue? Squid does not support logging of TLS v1.3 secrets yet. When tls_key_log was initially implemented, Squid did not support the OpenSSL version that could extract TLS v1.3 connection secrets - OpenSSL v1.1.1. There is even a corresponding TODO in the code: "Support SSL_CTX_set_keylog_callback() available since OpenSSL v1.1.1". IIRC, Squid supports that OpenSSL version now. Thus, support for logging TLS v1.3 connection secrets can and should be added. When deciding on the tls_key_log output format, we tried to anticipate TLS v1.3 needs, so I hope that adding that support will not require serious format changes. This whole issue is complicated by the fact that it would be much easier to just rely on the new OpenSSL SSL_CTX_set_keylog_callback() API for _all_ TLS secret extraction, but we cannot do that for as long as we have to support earlier OpenSSL versions that lack that API. One of the reasons we did not push for TLS v1.3 logging during the initial tls_key_log implementation is my hope that (by the time we start working on that additional support) Squid master/v6 would no longer have to support earlier OpenSSL versions. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
