On 19/07/17 05:02, Marcus Kool wrote:
> I am trying to debug ssl-bump and am looking specifically for decisions
> that Squid takes with regard to bumping, splicing and unsupported protocol.
> The config file for Squid 4.0.21 has
> debug_options ALL,1 33,9 83,9
Section 28 is probably where you want to look for the splice detail
since it is an access control action decision point.
There are a few TLS details going to 81, but mostly for server connections.
You may also want to include the TCP level I/O details in section 5 if
the section 83 OpenSSL BIO is not enough.
And the 11,2 trace of when HTTP(S) messages are arriving can be useful
to trace when and what Squid is managing to decrypt.
And section 26 for CONNECT tunnel handling. Which may show when/how
splice or on_unsupported_protocol are being handled.
> http_port 10.10.10.1:3230 ssl-bump ...
> acl tls_is_skype ssl::server_name
> acl tls_is_skype ssl::server_name .skype.com
> acl tls_allowed_hsts ssl::server_name www.google.com
> acl tls_urlfilterdb ssl::server_name www.urlfilterdb.com
> acl tls_server_is_bank ssl::server_name .abnamro.nl
> acl tls_server_is_bank ssl::server_name .abnamro.com
> acl tls_to_splice any-of tls_allowed_hsts tls_urlfilterdb
> tls_server_is_bank tls_is_skype
> ssl_bump splice tls_to_splice
> ssl_bump stare all
> ssl_bump bump all
> on_unsupported_protocol tunnel all
> But I fail to see in cache.log anything that gives a clue about
> - squid decided to splice
> - squid decided to bump
> - squid decided to treat a connection as "unsupported protocol".
> Are there other debug sections than 33 and 83 that need an increased
> debug level ?
> what strings do I have to look for in cache.log to understand the above
> decisions that Squid takes ?
The regular ACL checklist and results I think for that particular
tracing. The TLS parser and bumping logic is not all debug traced due to
performance-first reasons. Where debugs exist it is usually at a
problem/error handling code path initiation.