>
>On Wednesday, December 11, 2013 10:32 AM, Alan M. Carroll
><a...@network-geographics.com> wrote:
>
>
>Because that requires dynamically generating certificates which is a
>non-trivial task. I have done some work to extend the SSL support to make this
>easier in ATS but I haven't had time recently to write it up for the dev list.
I agree.
Although if we take the constraint that the client knows beforehand about this
behavior, the client can chose not to validate the certificate against a CA,
therefore simplifying the problem greatly. This would be especially applicable
when the client is on the local network. I'm not very sure about this, but I
would assume that we could either use a self-signed wildcard ssl certificate or
one specific to the trafficserver host as long as the certificate validation
does not happen.
Not spoofing certificates should also protect the local client against
malicious usage of the forward proxy mode to inspect HTTPS traffic.
This behavior should be ok as ATS would do the required certificate validation
for the upstream server.
Thanks,
Vikram
