Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to inspect payload of outgoing SSL/TLS connections

    Scheduled Pinned Locked Moved General pfSense Questions
    1 Posts 1 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CollateralD
      last edited by

      I walked around the web but could not find a satisfying answer. This is more an
      interest nothing else.

      I found pretty much about HTTPS and reverse proxy setups. Such setups are
      straight forward and easy to understand. The negotiation is done on the
      front end - the payload behind is plain http/html and easy to inspect.

      But what I mean is, (how) is it possible to inspect the payload of SSL/TLS
      outbound connections, means different CLIENTs -> "proxy" (inspect) ->
      different SERVERs.
      What I found so far is regarding Microsofts TMG firewall an some hints to CISCO
      products. But these explanations only aiming to (Dialog)configuration of these
      products. Nevertheless, it seems that there is a possibility, respectively there
      has to be on option for security reasons.

      So what are the principles for such a setup and (how) could it be done in
      pfSense? Links are welcome ;-)!

      Edit:
      O.k. above is pretty short. One general principle is clear to me:

      CLIENT –- negotiationX --- proxy --- negotiationY --- SERVER.

      But how are the certs handled in this example? A ssl cert has a
      host description. If the host who is called does not match the
      host in the cert the browser complains. The proxy must have
      his own cert to neg. with the client but this cert does not match
      to the host wich is called ...

      Moreover it would be very insecure, from the clients point of view,
      to rely on the proxy cert for all https-sites in the world.

      Please advice! Thanks!

      Regards,
      CD

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.