Artica proxy provides a set of Access Control Lists (ACLs) that allow administrators to take actions based on SSL certificate validation results when using SSL MAN-IN-THE-MIDDLE for HTTPS inspection.
These ACLs allow you to block or allow access depending on specific certificate problems detected during SSL handshake.This feature is available on Artica v4.50 Service Pack 5 or Artica v4.50 Service Pack 4 Hotfix 20250716-12
- On the left menu, go to
Your Proxy > SSL ProtocolandCertificate validationtab - This section is used to control how Proxy handles certificate validation errors during HTTPS interception
When the Proxy acts as a man-in-the-middle proxy, it connects to the destination HTTPS server, validates its certificate, and generates a new one for the client.
If the certificate is invalid (expired, self-signed, wrong hostname, etc.), the proxy must decide what to do.
You can create rules with two possible behaviors:
- Deny Access: If the certificate is non-compliant, the proxy will block access to the website.
- Allow Access: The proxy will ignore the error, re-sign the certificate, and present it to the browser.
This alters the compliance, but the browser will accept the proxy's certificate.
¶ Specific Certificate Error ACL object
When using these rules, a new ACL object named Certificate Error becomes available in the list of available objects.
Refer to this article for guidance on how to use this object.
¶ Test your proxy Certificate validation rules
The website https://badssl.com is a test site for checking TLS/SSL clients' behavior under a variety of incorrect or non-compliant SSL configurations.
It is primarily used by developers, system administrators, and security researchers to:
- Test how browsers, proxies, or applications handle different SSL/TLS certificate errors.
- Diagnose issues with certificate validation, cipher support, hostname mismatches, self-signed certificates, and more.
- Ensure your Artica Proxy Certificate validation rules correctly handle HTTPS traffic under edge cases.
¶
Examples of what you can test:
- Expired certificates:
https://expired.badssl.com/ - Self-signed certs:
https://self-signed.badssl.com/ - Wrong hostname:
https://wrong.host.badssl.com/ - Insecure ciphers or TLS versions:
https://rc4.badssl.com/
Each subdomain is configured with a specific SSL/TLS error or configuration for testing purposes.
It’s a safe and intentional testing environment, and it’s widely trusted by the developer and security community.