> On Feb 27, 2015, at 12:04 PM, Alex Crow <[email protected]> wrote: > > HI, > > Does there exist any mechanism in ATS configured as a forward proxy to allow > proxying and inspection of HTTPS/SSL traffic between corporate browsers (I > say this as we have users accept terms of usage for our systems) with a > corporate CA added to their CA store and dynamically generate certs from the > corp CA key impersonating the original site? > > FYI this is for the purpose of, very much primarliy, scanning for malicious > content and enabling caching of static objects retrieved via https:// URLs > (which would be a bonus but not essential). > > For those that have done such a thing in Squid the Squid docs call these > features as in the subject line. Commercial proxies such as Bluecoat and > Barracuda offer this too - we've had some probs with Squid's implementation > recently and are looking for an alternative (which for obvious reasons I'd > prefer to be OSS/Libre software).
There is API support for this. IIRC you either need a patched version of OpenSSL (for the original implementation), or the bleeding edge version for standard OpenSSL support. I'm not aware of any complete solutions for this use case; you'd have to write a plugin to handle figuring out which custom certificate to server. J
