Squid configuration directive tls_key_log

Available in: v7   v6  

This directive is not available in the v5 version of Squid.

This directive is not available in the v4 version of Squid.

For older versions than v4 see the linked pages above

Configuration Details:

Option Name:tls_key_log
Replaces:
Requires:--with-openssl
Default Value:none
Suggested Config:

	Configures whether and where Squid records pre-master secret and
	related encryption details for TLS connections accepted or established
	by Squid. These connections include connections accepted at
	https_port, TLS connections opened to origin servers/cache_peers/ICAP
	services, and TLS tunnels bumped by Squid using the SslBump feature.
	This log (a.k.a. SSLKEYLOGFILE) is meant for triage with traffic
	inspection tools like Wireshark.

	    tls_key_log <destination> [options] [if [!]<acl>...]

	WARNING: This log allows anybody to decrypt the corresponding
	encrypted TLS connections, both in-flight and postmortem.

	At most one log file is supported at this time. Repeated tls_key_log
	directives are treated as fatal configuration errors. By default, no
	log is created or updated.

	If the log file does not exist, Squid creates it. Otherwise, Squid
	appends an existing log file.

	The directive is consulted whenever a TLS connection is accepted or
	established by Squid. TLS connections that fail the handshake may be
	logged if Squid got enough information to form a log record. A record
	is logged only if all of the configured ACLs match.

	While transport-related ACLs like src and dst should work, Squid may
	not have access to higher-level information. For example, when logging
	accepted https_port connections, Squid does not yet have access to the
	expected HTTPS request. Similarly, an HTTPS response is not available
	when logging most TLS connections established by Squid.

	The log record format is meant to be compatible with TLS deciphering
	features of Wireshark which relies on fields like CLIENT_RANDOM and
	RSA Master-Key. A single log record usually spans multiple lines.
	Technical documentation for that format is maintained inside the
	Wireshark code (e.g., see tls_keylog_process_lines() comments as of
	Wireshark commit e3d44136f0f0026c5e893fa249f458073f3b7328). TLS key
	log does not support custom record formats.

	This clause only supports fast acl types.
	See https://wiki.squid-cache.org/SquidFaq/SquidAcl for details.

	See access_log's <module>:<place> parameter for a list of supported
	logging destinations.

	TLS key log supports all access_log key=value options with the
	exception of logformat=name.

	Requires Squid built with OpenSSL support.

 

Back

 

Introduction

Documentation

Support

Miscellaneous