You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Alex Crow <ac...@integrafin.co.uk> on 2015/02/27 21:04:11 UTC
SSL bumping/peek/splice
HI,
Does there exist any mechanism in ATS configured as a forward proxy to
allow proxying and inspection of HTTPS/SSL traffic between corporate
browsers (I say this as we have users accept terms of usage for our
systems) with a corporate CA added to their CA store and dynamically
generate certs from the corp CA key impersonating the original site?
FYI this is for the purpose of, very much primarliy, scanning for
malicious content and enabling caching of static objects retrieved via
https:// URLs (which would be a bonus but not essential).
For those that have done such a thing in Squid the Squid docs call these
features as in the subject line. Commercial proxies such as Bluecoat and
Barracuda offer this too - we've had some probs with Squid's
implementation recently and are looking for an alternative (which for
obvious reasons I'd prefer to be OSS/Libre software).
Any help much appreciated.
Alex
Re: SSL bumping/peek/splice
Posted by SunilVasanta <v....@sawridgesystems.com>.
Hi,
Is there any commercial support/assistance available for SSL bump/peek
in ATS.
Thanks,
Sunil Vasanta
On 03-03-2015 01:02, James Peach wrote:
>> On Feb 27, 2015, at 12:04 PM, Alex Crow <ac...@integrafin.co.uk> wrote:
>>
>> HI,
>>
>> Does there exist any mechanism in ATS configured as a forward proxy to allow proxying and inspection of HTTPS/SSL traffic between corporate browsers (I say this as we have users accept terms of usage for our systems) with a corporate CA added to their CA store and dynamically generate certs from the corp CA key impersonating the original site?
>>
>> FYI this is for the purpose of, very much primarliy, scanning for malicious content and enabling caching of static objects retrieved via https:// URLs (which would be a bonus but not essential).
>>
>> For those that have done such a thing in Squid the Squid docs call these features as in the subject line. Commercial proxies such as Bluecoat and Barracuda offer this too - we've had some probs with Squid's implementation recently and are looking for an alternative (which for obvious reasons I'd prefer to be OSS/Libre software).
> There is API support for this. IIRC you either need a patched version of OpenSSL (for the original implementation), or the bleeding edge version for standard OpenSSL support. I'm not aware of any complete solutions for this use case; you'd have to write a plugin to handle figuring out which custom certificate to server.
>
> J
>
--
Sunil Vasanta
Sawridgesystems
Re: SSL bumping/peek/splice
Posted by James Peach <jp...@apache.org>.
> On Feb 27, 2015, at 12:04 PM, Alex Crow <ac...@integrafin.co.uk> wrote:
>
> HI,
>
> Does there exist any mechanism in ATS configured as a forward proxy to allow proxying and inspection of HTTPS/SSL traffic between corporate browsers (I say this as we have users accept terms of usage for our systems) with a corporate CA added to their CA store and dynamically generate certs from the corp CA key impersonating the original site?
>
> FYI this is for the purpose of, very much primarliy, scanning for malicious content and enabling caching of static objects retrieved via https:// URLs (which would be a bonus but not essential).
>
> For those that have done such a thing in Squid the Squid docs call these features as in the subject line. Commercial proxies such as Bluecoat and Barracuda offer this too - we've had some probs with Squid's implementation recently and are looking for an alternative (which for obvious reasons I'd prefer to be OSS/Libre software).
There is API support for this. IIRC you either need a patched version of OpenSSL (for the original implementation), or the bleeding edge version for standard OpenSSL support. I'm not aware of any complete solutions for this use case; you'd have to write a plugin to handle figuring out which custom certificate to server.
J