16Oca
Does TLS interception necessarily require a self-signed certificate? Please explain why
A brief schema of a TLS intercepting proxy - the Client connects to the Host via the Proxy in a way which allows the Proxy to perform a (consensual) MITM.
[Client] -> [Proxy] -> [Host]
It's my understanding reading references online that implementing a TLS intercepting proxy requires you to:
- create your own CA signing key
- have the client trust your own CA
- the proxy can now basically establish two SSL sessions -
Client<->Proxy
andProxy<->Host
This is one way to do this and projects like https://github.com/abhinavsingh/proxy.py use this approach as well as the employer of the author of How can my employer be a man-in-the-middle when I connect to Gmail?.
Question: is this the only way? Does a TLS intercepting proxy necessarily require a self-signed certificate? If so, can you explain why this is the only way?