squid4 with sslbump not logged server side cert_subject and cert_issuer

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

squid4 with sslbump not logged server side cert_subject and cert_issuer

Peter Viskup
Running squid version 4.0.23 with logformat including

SSLBumpMode=%ssl::bump_mode SSLSNI="%ssl::>sni"
SSLClientProto="%ssl::>negotiated_version"
SSLServerProto="%ssl::<negotiated_version"
SSLBumpClientCipher="%ssl::>negotiated_cipher"
SSLBumpServerCipher="%ssl::<negotiated_cipher"
SSLBumpSubject="%ssl::<cert_subject"
SSLBumpIssuer="%ssl::<cert_issuer"

and ssl_bump configured simply with

ssl_bump bump all
http_access allow all

the messages still logged with dashes for Subject and Issuer values

SSLBumpMode=bump SSLSNI="www.google.sk" SSLClientProto="TLS/1.0" SSLServerProto
="TLS/1.2" SSLBumpClientCipher="ECDHE-RSA-AES256-SHA"
SSLBumpServerCipher="ECDHE-RSA-AES128-GCM-SHA256" SSLBumpSubject="-"
SSLBumpIssuer="-"

I am doing something wrong or did I overlooked something?

Peter
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid4 with sslbump not logged server side cert_subject and cert_issuer

Amos Jeffries
Administrator
On 16/02/18 01:44, Peter Viskup wrote:

> Running squid version 4.0.23 with logformat including
>
> SSLBumpMode=%ssl::bump_mode SSLSNI="%ssl::>sni"
> SSLClientProto="%ssl::>negotiated_version"
> SSLServerProto="%ssl::<negotiated_version"
> SSLBumpClientCipher="%ssl::>negotiated_cipher"
> SSLBumpServerCipher="%ssl::<negotiated_cipher"
> SSLBumpSubject="%ssl::<cert_subject"
> SSLBumpIssuer="%ssl::<cert_issuer"
>
> and ssl_bump configured simply with
>
> ssl_bump bump all
> http_access allow all
>
> the messages still logged with dashes for Subject and Issuer values
>
> SSLBumpMode=bump SSLSNI="www.google.sk" SSLClientProto="TLS/1.0" SSLServerProto
> ="TLS/1.2" SSLBumpClientCipher="ECDHE-RSA-AES256-SHA"
> SSLBumpServerCipher="ECDHE-RSA-AES128-GCM-SHA256" SSLBumpSubject="-"
> SSLBumpIssuer="-"
>
> I am doing something wrong or did I overlooked something?
>

Was there actually a server involved?

You told Squid to "bump all" which, by itself, means bump immediately
after client Hello arrives. So there is no server cert to get details
from until after bumping finishes and the first HTTPS request is
processed - triggering server contact to pass it upstream (unless that
is a HIT).

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid4 with sslbump not logged server side cert_subject and cert_issuer

Alex Rousskov
On 02/15/2018 07:32 AM, Amos Jeffries wrote:

> On 16/02/18 01:44, Peter Viskup wrote:
>> Running squid version 4.0.23 with logformat including
>>
>> SSLBumpMode=%ssl::bump_mode SSLSNI="%ssl::>sni"
>> SSLClientProto="%ssl::>negotiated_version"
>> SSLServerProto="%ssl::<negotiated_version"
>> SSLBumpClientCipher="%ssl::>negotiated_cipher"
>> SSLBumpServerCipher="%ssl::<negotiated_cipher"
>> SSLBumpSubject="%ssl::<cert_subject"
>> SSLBumpIssuer="%ssl::<cert_issuer"
>>
>> and ssl_bump configured simply with
>>
>> ssl_bump bump all
>> http_access allow all
>>
>> the messages still logged with dashes for Subject and Issuer values
>>
>> SSLBumpMode=bump SSLSNI="www.google.sk" SSLClientProto="TLS/1.0" SSLServerProto
>> ="TLS/1.2" SSLBumpClientCipher="ECDHE-RSA-AES256-SHA"
>> SSLBumpServerCipher="ECDHE-RSA-AES128-GCM-SHA256" SSLBumpSubject="-"
>> SSLBumpIssuer="-"
>>
>> I am doing something wrong or did I overlooked something?


> You told Squid to "bump all" which, by itself, means bump immediately
> after client Hello arrives.

In other words, you are doing a rough equivalent of the ancient
client-first bumping. To tell Squid to look at the client and server TLS
handshake messages (including the server certificate) before bumping the
connection, use something like this:

  ssl_bump stare all
  ssl_bump bump all


> So there is no server cert to get details
> from until after bumping finishes

The log message contains a server cipher (%ssl::<negotiated_cipher) so
Squid ought to know the certificate as well. The missing certificate in
this context sounds like a bug or a missing feature to me: Either the
server cipher should not be logged (if Squid did not see the origin
handshake yet) or both the cipher and the certificate details should be
logged. The only exception I could think of is a TLS negotiation error
where the server sends the cipher but not the certificate.

The above problem may not be important if, in fact, you did not actually
want to use client-first bumping (which usually does not work well),
_and_ staring at the server (i.e., stare all) logs the information you
want. However, that does not mean the problem is not there.


HTH,

Alex.
P.S. Your log entries will be malformed if certificate subject or issuer
contains a quote character.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid4 with sslbump not logged server side cert_subject and cert_issuer

Peter Viskup
On Thu, Feb 15, 2018 at 7:41 PM, Alex Rousskov
<[hidden email]> wrote:

> On 02/15/2018 07:32 AM, Amos Jeffries wrote:
>> On 16/02/18 01:44, Peter Viskup wrote:
>>> Running squid version 4.0.23 with logformat including
>>>
>>> SSLBumpMode=%ssl::bump_mode SSLSNI="%ssl::>sni"
>>> SSLClientProto="%ssl::>negotiated_version"
>>> SSLServerProto="%ssl::<negotiated_version"
>>> SSLBumpClientCipher="%ssl::>negotiated_cipher"
>>> SSLBumpServerCipher="%ssl::<negotiated_cipher"
>>> SSLBumpSubject="%ssl::<cert_subject"
>>> SSLBumpIssuer="%ssl::<cert_issuer"
>>>
>>> and ssl_bump configured simply with
>>>
>>> ssl_bump bump all
>>> http_access allow all
>>>
>>> the messages still logged with dashes for Subject and Issuer values
>>>
>>> SSLBumpMode=bump SSLSNI="www.google.sk" SSLClientProto="TLS/1.0" SSLServerProto
>>> ="TLS/1.2" SSLBumpClientCipher="ECDHE-RSA-AES256-SHA"
>>> SSLBumpServerCipher="ECDHE-RSA-AES128-GCM-SHA256" SSLBumpSubject="-"
>>> SSLBumpIssuer="-"
>>>
>>> I am doing something wrong or did I overlooked something?
>> You told Squid to "bump all" which, by itself, means bump immediately
>> after client Hello arrives.
>
> In other words, you are doing a rough equivalent of the ancient
> client-first bumping. To tell Squid to look at the client and server TLS
> handshake messages (including the server certificate) before bumping the
> connection, use something like this:
>
>   ssl_bump stare all
>   ssl_bump bump all

Confirm with these two lines the cert information is logged as expected.
Will read the wiki once more.

> The log message contains a server cipher (%ssl::<negotiated_cipher) so
> Squid ought to know the certificate as well. The missing certificate in
> this context sounds like a bug or a missing feature to me: Either the
> server cipher should not be logged (if Squid did not see the origin
> handshake yet) or both the cipher and the certificate details should be
> logged. The only exception I could think of is a TLS negotiation error
> where the server sends the cipher but not the certificate.
>
> The above problem may not be important if, in fact, you did not actually
> want to use client-first bumping (which usually does not work well),
> _and_ staring at the server (i.e., stare all) logs the information you
> want. However, that does not mean the problem is not there.

I do not want to use client-first bump and thus the issue solved by stare&bump.
Thank you.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users