How to inspect payload of outgoing SSL/TLS connections



  • I walked around the web but could not find a satisfying answer. This is more an
    interest nothing else.

    I found pretty much about HTTPS and reverse proxy setups. Such setups are
    straight forward and easy to understand. The negotiation is done on the
    front end - the payload behind is plain http/html and easy to inspect.

    But what I mean is, (how) is it possible to inspect the payload of SSL/TLS
    outbound connections, means different CLIENTs -> "proxy" (inspect) ->
    different SERVERs.
    What I found so far is regarding Microsofts TMG firewall an some hints to CISCO
    products. But these explanations only aiming to (Dialog)configuration of these
    products. Nevertheless, it seems that there is a possibility, respectively there
    has to be on option for security reasons.

    So what are the principles for such a setup and (how) could it be done in
    pfSense? Links are welcome ;-)!

    Edit:
    O.k. above is pretty short. One general principle is clear to me:

    CLIENT –- negotiationX --- proxy --- negotiationY --- SERVER.

    But how are the certs handled in this example? A ssl cert has a
    host description. If the host who is called does not match the
    host in the cert the browser complains. The proxy must have
    his own cert to neg. with the client but this cert does not match
    to the host wich is called ...

    Moreover it would be very insecure, from the clients point of view,
    to rely on the proxy cert for all https-sites in the world.

    Please advice! Thanks!

    Regards,
    CD


Log in to reply