How to inspect payload of outgoing SSL/TLS connections
-
I walked around the web but could not find a satisfying answer. This is more an
interest nothing else.I found pretty much about HTTPS and reverse proxy setups. Such setups are
straight forward and easy to understand. The negotiation is done on the
front end - the payload behind is plain http/html and easy to inspect.But what I mean is, (how) is it possible to inspect the payload of SSL/TLS
outbound connections, means different CLIENTs -> "proxy" (inspect) ->
different SERVERs.
What I found so far is regarding Microsofts TMG firewall an some hints to CISCO
products. But these explanations only aiming to (Dialog)configuration of these
products. Nevertheless, it seems that there is a possibility, respectively there
has to be on option for security reasons.So what are the principles for such a setup and (how) could it be done in
pfSense? Links are welcome ;-)!Edit:
O.k. above is pretty short. One general principle is clear to me:CLIENT –- negotiationX --- proxy --- negotiationY --- SERVER.
But how are the certs handled in this example? A ssl cert has a
host description. If the host who is called does not match the
host in the cert the browser complains. The proxy must have
his own cert to neg. with the client but this cert does not match
to the host wich is called ...Moreover it would be very insecure, from the clients point of view,
to rely on the proxy cert for all https-sites in the world.Please advice! Thanks!
Regards,
CD