CacheGuard-OS
User's Guide - Version UF-2.0.2


SSL Mediation

The SSL mediation allows you to decrypt HTTPS traffic at the gateway point in order to cache, inspect its contents and possibly block unwanted contents. Please note that as HTTPS aims to give users privacy and security, its decrypting in the middle (before reaching the final client) may violate ethical norms and may be illegal in your jurisdiction.

When the SSL mediation is activated the system re-encrypts decrypted traffic before forwarding it to the end-user. To do so it dynamically generates SSL certificates and signs them using its own CA (Certificate Authority) certificate. Of course to make this work the system's CA certificate should be imported to the end-user Web navigator prior any attempts to access an HTTPS website.

Assuming that the internal network interface of the appliance has the IP address 10.20.0.254, the CA certificate of the appliance is available in DER format at http://10.20.0.254. To implement the appliance as a transparent SSL mediator use the following commands:

CA certificate

A default system CA certificate is generated during the installation but we highly recommend that you generate your own CA certificate. To do so use the following commands: Alternatively you can import your existing CA into your CacheGuard system. Assuming that your CA certificate and its associated private key are respectively named cg-ca.certificate and cg-ca.key and are placed on a TFTP file server reachable at 172.18.2.1 use the following commands:

Exceptions lists

The appliance can be configured to bypass the SSL mediation for some websites (deny policy) or only act as an SSL mediator for some given websites (allow policy). To activate the SSL mediation for example.com only use the following commands: