On 2016-11-05 01:15, Alex Rousskov wrote:
On 11/04/2016 08:06 AM, Garri Djavadyan wrote:
On Fri, 2016-11-04 at 17:43 +0500, Garri Djavadyan wrote:
I noticed that Squid doesn't use gathered domain name information for
%ru in access.log when splice action is performed at step 3 for
intercepted traffic.
%ru is about client/user actions. It should be filled with what the
client sent to Squid. In an intercepting and splicing configuration
like
yours, %>ru (and deprecated %ru) should contain the intended
destination
IP address (at step 1) and SNI, if any, at step 2+.
%ru Request URL from client (historic, filtered for logging)
%>ru Request URL from client
%<ru Request URL sent to server or peer
According to the above, during step 3, %<ru should have SNI sent by
Squid to the server (if any) or the server IP (otherwise).
I've added the codes %>ru, %<ru and %ssl::bump_mode in the following
tests.
$ curl https://www.openssl.org/ > /dev/null
https_port 3129 intercept ssl-bump ..
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
%Sh/%<a %mt %ssl::>sni
at step 2:
1478256091.609 1028 172.16.0.21 TAG_NONE/200 0 CONNECT
104.124.119.14:443 - HIER_NONE/- - www.openssl.org
1478256091.609 1026 172.16.0.21 TCP_TUNNEL/200 9807 CONNECT
www.openssl.org:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
OK.
at step 3:
1478256303.420 574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT
104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
Just one record? That in itself is probably a bug!
Yes, I get only one record for splicing at step 3 using Squid
3.5.22/4.0.16
Please see whether trunk r14913 (or any later revision) improves or
fixes this. That revision contains important and potentially relevant
changes.
I re-tested the case using Squid 4.0.16-20161104-r14917. Now, Squid lost
it's ability to mark SNI in %ru at step 2 too.
Below are my results:
----------------
| Squid 4.0.16 |
----------------
Config:
https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
generate-host-certificates=off
acl StepSplice at_step SslBump2
ssl_bump splice StepSplice
ssl_bump peek all
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
%Sh/%<a %mt %ssl::bump_mode %ssl::>sni %>ru %<ru
Result:
1478346360.722 000415 192.168.6.6 NONE/200 0 CONNECT 173.194.122.224:443
- HIER_NONE/- - peek google.com 173.194.122.224:443 173.194.122.224:443
1478346360.722 000377 192.168.6.6 TCP_TUNNEL_ABORTED/200 4747 CONNECT
google.com:443 - ORIGINAL_DST/173.194.122.224 - splice google.com
google.com:443 google.com:443
-------
Config:
https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
generate-host-certificates=off
acl StepSplice at_step SslBump3
ssl_bump splice StepSplice
ssl_bump peek all
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
%Sh/%<a %mt %ssl::bump_mode %ssl::>sni %>ru %<ru
Result:
1478346440.426 000448 192.168.6.6 TCP_TUNNEL_ABORTED/200 4747 CONNECT
173.194.122.224:443 - ORIGINAL_DST/173.194.122.224 - peek google.com
173.194.122.224:443 173.194.122.224:443
--------------------------------
| Squid 4.0.16-20161104-r14917 |
--------------------------------
Config:
https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
generate-host-certificates=off
acl StepSplice at_step SslBump2
ssl_bump splice StepSplice
ssl_bump peek all
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
%Sh/%<a %mt %ssl::bump_mode %ssl::>sni %>ru %<ru
Result:
1478347007.973 000404 192.168.6.6 TCP_TUNNEL/200 4747 CONNECT
173.194.122.224:443 - ORIGINAL_DST/173.194.122.224 - peek google.com
173.194.122.224:443 173.194.122.224:443
--------
Config:
https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
generate-host-certificates=off
acl StepSplice at_step SslBump3
ssl_bump splice StepSplice
ssl_bump peek all
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
%Sh/%<a %mt %ssl::bump_mode %ssl::>sni %>ru %<ru
Result:
1478347140.363 000412 192.168.6.6 TCP_TUNNEL/200 4747 CONNECT
173.194.122.224:443 - ORIGINAL_DST/173.194.122.224 - peek google.com
173.194.122.224:443 173.194.122.224:443
--------------
The request used in the tests is 'curl https://google.com/ > /dev/null'.
It prevents domain name identification when SNI is not provided by a
client. For example:
Request:
$ echo -e "HEAD / HTTP/1.1\nHost: www.openssl.org\n\n" | openssl
s_client -quiet -no_ign_eof -connect www.openssl.org:443
Result:
1478267428.070 347 172.16.0.21 TCP_TUNNEL/200 235 CONNECT
104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - -
IMO, the lack of a domain name is correct in this %ru case -- the
client
did not send a domain name to Squid!
I got it, thanks. AIUI, there is no code format which could be used to
represent domain name information gathered from certificate
(subjectAltName). Am I right?
Thanks.
Garri
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
