On 2014-10-09 at 19:17 -0500, Chase Hoffman wrote: > Your *.nsd.org cert would > work to intercept traffic for all *.nsd.org sites, but would be useless > for, say, www.driftpeasant.org. I have no idea how you've gotten this far > using *.nsd.org - from everything I know, that should fail hard pretty much > immediately.
Speculating here: if the iBoss accepts proxy-style requests, and clients are told to use an https proxy, pointed at the desired MitM box, then the identity which they will be validating against the presented certificate will be the hostname of the _proxy_, not of the final destination. Mind, most times I see something using `$https_proxy`, they're pointing at a :3128 HTTP proxy which can also do HTTPS onwards, so they're not actually providing TLS protection between the client and the proxy, which might be an unpleasant surprise. -Phil _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
