What is Corporate Proxy with SSL Inspection?

Corporate proxies intercept HTTPS traffic to inspect content for security and compliance. This is called SSL Inspection or MITM (Man-In-The-Middle).

Complete Flow: curl Through Proxy

Command:

curl -v -x http://proxy.company.com:8080 https://api.example.com/data

Step-by-Step Flow:

1. DNS Resolution

curl resolves proxy hostname
    ↓
DNS: proxy.company.com → 192.168.1.100

2. TCP Connection to Proxy

curl → proxy:8080
    ↓
TCP handshake: SYN, SYN-ACK, ACK
    ↓
Connection established

3. CONNECT Request (HTTP Tunnel)

curl sends:
→ CONNECT api.example.com:443 HTTP/1.1
→ Host: api.example.com
→ User-Agent: curl/8.0.0
→ Proxy-Connection: Keep-Alive

Proxy responds:
← HTTP/1.1 200 Connection established

Key point: CONNECT doesn’t create new TCP connection - it repurposes existing connection as tunnel.

4. SSL Inspection Setup (MITM)

curl starts TLS handshake
→ ClientHello (TLS 1.2/1.3, cipher suites)

Proxy intercepts:
    ↓
Proxy presents fake certificate
← ServerHello
← Certificate (CN=api.example.com, Issuer=Corporate Proxy CA)
← ServerHelloDone

curl validates certificate:
- Checks if signed by trusted CA
- If proxy CA installed: Continues
- If not installed: Certificate error

5. TLS Handshake Completion

curl → ClientKeyExchange
curl → ChangeCipherSpec
curl → Finished (encrypted)

Proxy ← ChangeCipherSpec
Proxy ← Finished (encrypted)

Encrypted tunnel established:
curl ←TLS→ Proxy (fake cert)

6. Proxy Connects to Real Server

Proxy → api.example.com:443
    ↓
TCP handshake
    ↓
TLS handshake with real certificate
    ↓
Proxy ←TLS→ api.example.com (real cert)

7. HTTP Request (Encrypted)

curl sends through encrypted tunnel:
→ GET /data HTTP/1.1
→ Host: api.example.com
→ Authorization: Bearer token123

Proxy decrypts request (can read everything)

8. Policy Check

Proxy inspects decrypted request:
    ↓
Check 1: Domain allowed?
    - Blocklist: gambling, social media
    - Allowlist: work-related sites
    ↓
Check 2: User authorized?
    - Check user identity
    - Check time-based rules
    ↓
Check 3: Request headers safe?
    - Check for malicious patterns
    - Validate authentication tokens
    ↓
Decision: Allow or Block

9. Proxy Forwards to Server

If allowed:
Proxy → api.example.com
    ↓
GET /data HTTP/1.1
(through proxy's TLS connection)

10. Server Response

api.example.com → Proxy
← HTTP/1.1 200 OK
← Content-Type: application/json
← Content-Length: 1024
← {"data": "sensitive info"}

11. DLP (Data Loss Prevention) Scan

Proxy scans response body:
    ↓
Check for:
- Credit card numbers (regex: \d{4}-\d{4}-\d{4}-\d{4})
- Social security numbers
- Confidential keywords
- Company secrets
    ↓
Scan timeout: 1-5 seconds
    ↓
If timeout: Drop connection
If pass: Forward response

12. Response Forwarding

Proxy re-encrypts response
    ↓
Proxy → curl
← HTTP/1.1 200 OK
← Content-Type: application/json
← {"data": "sensitive info"}

13. curl Displays Output

curl decrypts response
    ↓
Prints headers and body to terminal

Complete Flow: openssl s_client Through Proxy

Command:

openssl s_client -connect api.example.com:443 -proxy proxy.company.com:8080

Step-by-Step Flow:

1-3. Same as curl

DNS resolution → TCP connection → CONNECT request

4. TLS Handshake

openssl → ClientHello

Proxy intercepts:
← ServerHello
← Certificate (fake from proxy)
← ServerHelloDone

5. Certificate Display

openssl prints certificate details:

Certificate chain
 0 s:CN=api.example.com
   i:CN=Corporate Proxy CA
 1 s:CN=Corporate Proxy CA
   i:CN=Corporate Root CA

Server certificate:
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKZ...
-----END CERTIFICATE-----

Subject: CN=api.example.com
Issuer: CN=Corporate Proxy CA
Validity:
    Not Before: Jan 1 00:00:00 2025 GMT
    Not After : Dec 31 23:59:59 2025 GMT

6. Handshake Completion

openssl completes TLS handshake
    ↓
Shows connection info:

SSL handshake has read 3456 bytes
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit

7. Interactive Mode

openssl waits for input
    ↓
You can type HTTP requests manually:

GET /data HTTP/1.1
Host: api.example.com

(press Enter twice)

8. Connection Stays Open

openssl maintains connection
    ↓
Can send multiple requests
    ↓
Or times out after inactivity

Key Differences: curl vs openssl

Aspectcurlopenssl s_client
PurposeMake HTTP requestsTest TLS connections
AutomationAutomatic HTTPManual (type requests)
OutputHTTP responseCertificate details + TLS info
Use caseAPI testingTLS debugging
Stops atAfter responseAfter handshake (waits)

Proxy Failure Scenarios

1. SSL Inspection Failure

TLS handshake starts
    ↓
Proxy can't decrypt/re-encrypt
    ↓
Connection reset
    ↓
curl: (35) SSL connect error

2. Policy Check Block

Request decrypted
    ↓
Domain in blocklist
    ↓
Proxy returns: HTTP/1.1 403 Forbidden
    ↓
curl: (22) The requested URL returned error: 403

3. DLP Scan Timeout

Response received from server
    ↓
DLP scan takes >5 seconds
    ↓
Proxy drops connection
    ↓
curl: (18) transfer closed with outstanding read data remaining

4. Certificate Validation Failure

Proxy presents fake certificate
    ↓
curl doesn't trust proxy CA
    ↓
curl: (60) SSL certificate problem: unable to get local issuer certificate

Technical Terms

  • CONNECT method: HTTP method to establish tunnel through proxy
  • SSL Inspection: Proxy decrypts HTTPS traffic to inspect content
  • MITM (Man-In-The-Middle): Proxy intercepts and decrypts TLS connections
  • Fake certificate: Certificate generated by proxy pretending to be target server
  • Policy check: Proxy examines request against security rules
  • DLP (Data Loss Prevention): Scanning response for sensitive data
  • Certificate chain: Sequence of certificates from server to root CA
  • TLS handshake: Process of establishing encrypted connection
  • ClientHello: First message in TLS handshake from client
  • ServerHello: Server’s response in TLS handshake

Debugging Tips

Check if proxy has SSL inspection:

curl -v -x http://proxy:8080 https://google.com 2>&1 | grep "issuer"

# With SSL inspection:
# issuer: CN=Corporate Proxy CA

# Without SSL inspection:
# issuer: CN=Google Trust Services

Test proxy connectivity:

# Test CONNECT tunnel
curl -v -x http://proxy:8080 https://example.com

# Check certificate chain
openssl s_client -connect example.com:443 -proxy proxy:8080 -showcerts

Bypass certificate validation (testing only):

curl -k -x http://proxy:8080 https://example.com
# -k = insecure, skips certificate validation

Notes

  • Corporate proxies require proxy CA certificate installed on your machine
  • Without proxy CA, all HTTPS requests fail with certificate errors
  • Proxy can read all HTTPS traffic when SSL inspection is enabled
  • DLP scans can cause timeouts for large responses
  • Policy checks happen before request reaches target server
  • CONNECT method works over plain HTTP connection to proxy
  • Proxy maintains two separate TLS connections (client and server)