[dogma1138]

Again you do not trust your clients in this threat model because you can’t.

It’s simple a client makes an external TCP connection if that connection uses TLS the its MITMed on the network level and captured this happens to all connections if the client does not accept the handshake because for example the CA for the MITM box isn’t trusted or the client uses certificate pinning the client can simply refuse to proceed with the connection.

If the connection cannot be captured and inspected for any reason it’s simply terminated and the attempt is logged for future investigation.

There is no reason to break TLS on the client or compromise the browser it’s worse in every way and cannot be trusted.