debugging ssl-bump

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

debugging ssl-bump

Marcus Kool

I am trying to debug ssl-bump and am looking specifically for decisions that Squid takes with regard to bumping, splicing and unsupported protocol.

The config file for Squid 4.0.21 has

debug_options ALL,1 33,9 83,9

http_port 10.10.10.1:3230        ssl-bump ...

acl tls_is_skype ssl::server_name "/var/ufdbguard/blacklists/chat/skype/iplist"
acl tls_is_skype ssl::server_name .skype.com
acl tls_allowed_hsts ssl::server_name www.google.com
acl tls_urlfilterdb ssl::server_name www.urlfilterdb.com
acl tls_server_is_bank ssl::server_name .abnamro.nl
acl tls_server_is_bank ssl::server_name .abnamro.com
acl tls_to_splice any-of tls_allowed_hsts tls_urlfilterdb tls_server_is_bank tls_is_skype

ssl_bump splice tls_to_splice
ssl_bump stare  all
ssl_bump bump   all

on_unsupported_protocol tunnel all

But I fail to see in cache.log anything that gives a clue about
- squid decided to splice
- squid decided to bump
- squid decided to treat a connection as "unsupported protocol".

Are there other debug sections than 33 and 83 that need an increased debug level ?
what strings do I have to look for in cache.log to understand the above decisions that Squid takes ?

Thanks
Marcus
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: debugging ssl-bump

Amos Jeffries
Administrator

On 19/07/17 05:02, Marcus Kool wrote:
>
> I am trying to debug ssl-bump and am looking specifically for decisions
> that Squid takes with regard to bumping, splicing and unsupported protocol.
>
> The config file for Squid 4.0.21 has
>
> debug_options ALL,1 33,9 83,9
>

Section 28 is probably where you want to look for the splice detail
since it is an access control action decision point.

There are a few TLS details going to 81, but mostly for server connections.

You may also want to include the TCP level I/O details in section 5 if
the section 83 OpenSSL BIO is not enough.

And the 11,2 trace of when HTTP(S) messages are arriving can be useful
to trace when and what Squid is managing to decrypt.

And section 26 for CONNECT tunnel handling. Which may show when/how
splice or on_unsupported_protocol are being handled.

Amos



> http_port 10.10.10.1:3230        ssl-bump ...
>
> acl tls_is_skype ssl::server_name
> "/var/ufdbguard/blacklists/chat/skype/iplist"
> acl tls_is_skype ssl::server_name .skype.com
> acl tls_allowed_hsts ssl::server_name www.google.com
> acl tls_urlfilterdb ssl::server_name www.urlfilterdb.com
> acl tls_server_is_bank ssl::server_name .abnamro.nl
> acl tls_server_is_bank ssl::server_name .abnamro.com
> acl tls_to_splice any-of tls_allowed_hsts tls_urlfilterdb
> tls_server_is_bank tls_is_skype
>
> ssl_bump splice tls_to_splice
> ssl_bump stare  all
> ssl_bump bump   all
>
> on_unsupported_protocol tunnel all
>
> But I fail to see in cache.log anything that gives a clue about
> - squid decided to splice
> - squid decided to bump
> - squid decided to treat a connection as "unsupported protocol".
>
> Are there other debug sections than 33 and 83 that need an increased
> debug level ?
> what strings do I have to look for in cache.log to understand the above
> decisions that Squid takes ?

The regular ACL checklist and results I think for that particular
tracing. The TLS parser and bumping logic is not all debug traced due to
performance-first reasons. Where debugs exist it is usually at a
problem/error handling code path initiation.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...