trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: SSL bumping/peek/splice
Date Mon, 02 Mar 2015 19:32:24 GMT

> On Feb 27, 2015, at 12:04 PM, Alex Crow <acrow@integrafin.co.uk> wrote:
> 
> HI,
> 
> Does there exist any mechanism in ATS configured as a forward proxy to allow proxying
and inspection of HTTPS/SSL traffic between corporate browsers (I say this as we have users
accept terms of usage for our systems) with a corporate CA added to their CA store and dynamically
generate certs from the corp CA key impersonating the original site?
> 
> FYI this is for the purpose of, very much primarliy, scanning for malicious content and
enabling caching of static objects retrieved via https:// URLs (which would be a bonus but
not essential).
> 
> For those that have done such a thing in Squid the Squid docs call these features as
in the subject line. Commercial proxies such as Bluecoat and Barracuda offer this too - we've
had some probs with Squid's implementation recently and are looking for an alternative (which
for obvious reasons I'd prefer to be OSS/Libre software).

There is API support for this. IIRC you either need a patched version of OpenSSL (for the
original implementation), or the bleeding edge version for standard OpenSSL support. I'm not
aware of any complete solutions for this use case; you'd have to write a plugin to handle
figuring out which custom certificate to server.

J
Mime
View raw message