Hey Gabriel,
Can you describe in words the desired state in squid 5.7?
I know that squid ssl bump works and in the case of splice it also works pretty
good.
I can give you my logformat which results with the next:
## START
1669969405.114 9 10.200.191.117 NONE_NONE/000 0 CONNECT 3.126.56.137:443 -
HIER_NONE/- - service.idsync.analytics.yahoo.com splice Yahoo - dell-desktop
1669969405.661 13 10.200.191.117 NONE_NONE/000 0 CONNECT 35.208.249.213:443
- HIER_NONE/- - trace.mediago.io splice - - dell-desktop
1669969405.675 11 10.200.191.117 NONE_NONE/000 0 CONNECT 54.254.84.61:443 -
HIER_NONE/- - sync.tidaltv.com splice - - dell-desktop
1669969405.719 10 10.200.191.117 NONE_NONE/000 0 CONNECT 44.208.184.190:443
- HIER_NONE/- - rtb.adentifi.com splice - - dell-desktop
1669969405.864 8 10.200.191.117 NONE_NONE/000 0 CONNECT 152.199.20.14:443
- HIER_NONE/- - assets.video.yahoo.net splice - - dell-desktop
1669969406.143 11 10.200.191.117 NONE_NONE/000 0 CONNECT 184.73.174.132:443
- HIER_NONE/- - video.adaptv.advertising.com splice - - dell-desktop
## END
logformat localsquid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a
%mt %ssl::>sni %ssl::bump_mode %{app_tag}note %{tls_probe_res}note
%{ip_to_user}note
I am not sure how to re-produce the issue so it’s pretty hard for me to guess.
What logformat are you using?
Also, can you please describe how I might be able to re-produce the issue in a
local testing environment.
Yours,
Eliezer
----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com>
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/
From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of
Gabriel Vilariño
Sent: Tuesday, 29 November 2022 14:17
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Logs not showing ssl::servername
Hi there,
I am setting up an HTTP/HTTPS transparent proxy, meaning the clients not need
any certificates for using the proxy. This works fine on version 3.5 of Squid,
however after upgrading to 5.7 the behavior of the logs change:
1669723133.174 8037 10.184.19.220 TCP_TUNNEL/500 6207 CONNECT
54.240.253.128:443 <http://54.240.253.128:443> - ORIGINAL_DST/54.240.253.128
<http://54.240.253.128> -
Directive: logformat squid %ts.%03tu %>a %Ss/%03>Hs %ssl::>sni %ssl::bump_mode
ssl::>cert_subject %<ru
On version 3.5 we were obtaining the domain name (an aws service) in the place
of ORIGINAL_DST. Also now we are not seeing any information about the bump_mode
in no one of the connections while before we were seeing it. One could trough
that it could be because of the /500 message, however on a 200 one to
docs.ansble.com <http://docs.ansble.com> it also don´t show any data on the
sni field:
1669723513.363 332 10.184.19.220 TCP_TUNNEL/200 38192 CONNECT
104.26.0.234:443 <http://104.26.0.234:443> - ORIGINAL_DST/104.26.0.234
<http://104.26.0.234> -
Also the 500 looks to come from the squid not understanding something on the
SSL negotiation:
2022/11/29 10:32:38.943 kid1| 83,4| support.cc(248) check_domain: Verifying
server domain arsenal.us-west-2.amazonaws.com
<http://arsenal.us-west-2.amazonaws.com> to certificate name/subjectAltName
arsenal.us-west-2.amazonaws.com <http://arsenal.us-west-2.amazonaws.com>
2022/11/29 10:32:38.943 kid1| 83,5| bio.cc(136) read: FD 28 read 347 <= 65535
2022/11/29 10:32:38.943 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS
connection 0x558453168970 over conn99 local=SQUID-INTERNAL-IP:44264
remote=54.240.251.223:443 <http://54.240.251.223:443> ORIGINAL_DST FD 28
flags=1
2022/11/29 10:32:38.943 kid1| 83,2| PeerConnector.cc(256)
handleNegotiationResult: ERROR: failure while establishing TLS connection on
FD: 280x558452b68980*1
2022/11/29 10:32:38.943 kid1| 83,5| NegotiationHistory.cc(85)
retrieveNegotiatedInfo: SSL connection info on FD 28 SSL version NONE/0.0
negotiated cipher
2022/11/29 10:32:38.943 kid1| 83,5| PeekingPeerConnector.cc(84)
checkForPeekAndSpliceMatched: Will check for peek and splice on FD 28
2022/11/29 10:32:38.943 kid1| 83,5| PeekingPeerConnector.cc(395)
serverCertificateVerified: HTTPS server CN: arsenal.us-west-2.amazonaws.com
<http://arsenal.us-west-2.amazonaws.com> bumped: conn99
local=SQUID-INTERNAL-IP:44264 remote=54.240.251.223:443
<http://54.240.251.223:443> ORIGINAL_DST FD 28 flags=1
2022/11/29 10:32:38.943 kid1| 83,5| PeekingPeerConnector.cc(273)
startTunneling: will tunnel instead of negotiating TLS
It is clear that in creates the tunnel so the 500 probably is that error? Why
the bump/sni messages never log anything (according to
https://wiki.squid-cache.org/Features/SslPeekAndSplice they should log splice
not -). This is the config for bumping:
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
.... http rules ...
acl allowed_https_sites ssl::server_name_regex "/etc/squid/whitelist.txt"
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
Ip tables simply redirect:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130 #
https port on squid: https_port 3130 intercept ssl-bump
cert=/etc/squid/ssl/dummy.pem
Thanks in advance, i have been trying this for a week now reading a lot of
posts but not luck...
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
