Intercepting, decrypting and inspecting traffic over an encrypted channel

• Main Authors: Galloway, Gregory Lyle, Vossen, Joseph Karl, Williams, Ronald Becker, Kubilus, Matthew Joseph, Coccoli, Paul, Court, John William, Mazur, Steven Ashley
• Format: Patent
• Language: English
• Published: 01.05.2018
• Subjects: ELECTRIC COMMUNICATION TECHNIQUE; ELECTRICITY; TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHICCOMMUNICATION

A network-based appliance includes a mechanism to intercept, decrypt and inspect secure network traffic flowing over SSL/TLS between a client and a server. The mechanism responds to detection of a session initiation request message from the client, the message being received following establishment of a TCP connection between the client and server. The mechanism responds by holding the session initiation request message, preferably by creating a fake socket to a local process, and then diverting the request message over that socket. The TCP connection is then terminated, and the mechanism initiates a new session in initiation request message, all while the original session initiation request message continues to be held. The server responds with its server certificate, which is then used by the mechanism to generate a new server certificate. The new server certificate is then returned to the requesting client as the response to the session initiation request message.