thanks for your answer
I think the client expects a certificate from the side you want to open, for example GMX. GMX certificate is at an online certificate server, so your browser knows this certificate. Does the browser get the difference between the fake and the original?
Why does it work with full decryption with ssl-bump?