Hi,
Is there any commercial support/assistance available for SSL bump/peek
in ATS.
Thanks,
Sunil Vasanta
On 03-03-2015 01:02, James Peach wrote:
On Feb 27, 2015, at 12:04 PM, Alex Crow <[email protected]> wrote:
HI,
Does there exist any mechanism in ATS configured as a forward proxy to allow
proxying and inspection of HTTPS/SSL traffic between corporate browsers (I say
this as we have users accept terms of usage for our systems) with a corporate
CA added to their CA store and dynamically generate certs from the corp CA key
impersonating the original site?
FYI this is for the purpose of, very much primarliy, scanning for malicious
content and enabling caching of static objects retrieved via https:// URLs
(which would be a bonus but not essential).
For those that have done such a thing in Squid the Squid docs call these
features as in the subject line. Commercial proxies such as Bluecoat and
Barracuda offer this too - we've had some probs with Squid's implementation
recently and are looking for an alternative (which for obvious reasons I'd
prefer to be OSS/Libre software).
There is API support for this. IIRC you either need a patched version of
OpenSSL (for the original implementation), or the bleeding edge version for
standard OpenSSL support. I'm not aware of any complete solutions for this use
case; you'd have to write a plugin to handle figuring out which custom
certificate to server.
J
--
Sunil Vasanta
Sawridgesystems
