trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <>
Subject Re: SSL bumping/peek/splice
Date Mon, 02 Mar 2015 19:32:24 GMT

> On Feb 27, 2015, at 12:04 PM, Alex Crow <> wrote:
> HI,
> Does there exist any mechanism in ATS configured as a forward proxy to allow proxying
and inspection of HTTPS/SSL traffic between corporate browsers (I say this as we have users
accept terms of usage for our systems) with a corporate CA added to their CA store and dynamically
generate certs from the corp CA key impersonating the original site?
> FYI this is for the purpose of, very much primarliy, scanning for malicious content and
enabling caching of static objects retrieved via https:// URLs (which would be a bonus but
not essential).
> For those that have done such a thing in Squid the Squid docs call these features as
in the subject line. Commercial proxies such as Bluecoat and Barracuda offer this too - we've
had some probs with Squid's implementation recently and are looking for an alternative (which
for obvious reasons I'd prefer to be OSS/Libre software).

There is API support for this. IIRC you either need a patched version of OpenSSL (for the
original implementation), or the bleeding edge version for standard OpenSSL support. I'm not
aware of any complete solutions for this use case; you'd have to write a plugin to handle
figuring out which custom certificate to server.

View raw message