TLS

Cryptographic Fundamentals Key Pair (Public Key + Private Key) The foundation of TLS. Generated together mathematically. # Generate key pair openssl genrsa -out private.key 2048 openssl rsa -in private.key -pubout -out public.key What they do: Encrypt with public key → Only private key can decrypt Sign with private key → Anyone with public key can verify Certificate (X.509) A certificate = public key + identity information + signature from CA. ┌─────────────────────────────────────────────────────────────────┐ │ Certificate Contents │ │ │ │ Subject: CN=api.example.com, O=MyCompany ← Who this is │ │ Issuer: CN=DigiCert CA ← Who signed it │ │ Valid From: 2026-01-01 │ │ Valid To: 2027-01-01 │ │ Public Key: MIIBIjANBgkqhkiG9w0BAQEFA... ← Embedded │ │ Signature: a7f3b2c1d4e5f6... ← CA's stamp │ └─────────────────────────────────────────────────────────────────┘ Certificate is NOT secret - it contains public key and can be shared freely. ...

What is Corporate Proxy with SSL Inspection? Corporate proxies intercept HTTPS traffic to inspect content for security and compliance. This is called SSL Inspection or MITM (Man-In-The-Middle). Complete Flow: curl Through Proxy Command: curl -v -x http://proxy.company.com:8080 https://api.example.com/data Step-by-Step Flow: 1. DNS Resolution curl resolves proxy hostname ↓ DNS: proxy.company.com → 192.168.1.100 2. TCP Connection to Proxy curl → proxy:8080 ↓ TCP handshake: SYN, SYN-ACK, ACK ↓ Connection established 3. CONNECT Request (HTTP Tunnel) curl sends: → CONNECT api.example.com:443 HTTP/1.1 → Host: api.example.com → User-Agent: curl/8.0.0 → Proxy-Connection: Keep-Alive Proxy responds: ← HTTP/1.1 200 Connection established Key point: CONNECT doesn’t create new TCP connection - it repurposes existing connection as tunnel. ...