Method and apparatus for secure content delivery from a telecommunication network cache

What claimed is: 1. A method of providing content over a secure connection to a subscriber device of a telecommunication network comprising: receiving a secure connection request from the subscriber device, said secure connection request being received at a first communication interface of a network data center that is internal to the telecommunication network and being directed to an external network address associated with an external content provider that is external to the telecommunication network; determining whether or not the external content provider is registered for secure-content caching in the network data center; and responsive to determining that the external content provider is registered: establishing a secure session between the network data center and the subscriber device, including establishing a session key for encrypting communications over the secure session; determining whether the content targeted by the secure connection request is available from a content cache of the network data center; responsive to determining that the content targeted by the secure connection request is available from the content cache, delivering the content targeted by the secure connection request from the content cache to the subscriber device using the secure session; and responsive to determining that the content targeted by the secure connection request is not available from the content cache: initiating a takeover of the secure session by the external content provider by forwarding session information towards the external content provider via a second communication interface of the network data center, said session information including the session key, a network address of the subscriber device, and identification of the content targeted by the secure connection request; and instructing the telecommunication network to forward all subsequent session messages from the subscriber device for the secure session towards the external content provider rather than towards the network data center. 2. The method of claim 1 , wherein receiving the secure connection request from the subscriber device comprises receiving the secure connection request as forwarded from a serving packet gateway of the telecommunication network, and wherein the network data center communicates with the serving packet gateway via the first communication interface. 3. The method of claim 2 , wherein instructing the telecommunication network to forward all subsequent session messages from the subscriber device for the secure session towards the external content provider rather than towards the network data center comprises sending control signaling to the serving packet gateway via the first communication interface. 4. The method of claim 1 , wherein the external content provider comprises an external content delivery network that is accessible via one or more external packet data networks, and wherein initiating the takeover of the secure session by the external content provider comprises initiating a communication with the external content delivery network via the second communication interface. 5. The method of claim 1 , wherein initiating the takeover of the secure session by the external content provider comprises transferring a protocol endpoint established at the network data center for the secure session to the external content provider. 6. The method of claim 5 , wherein transferring the protocol endpoint comprises performing a Transfer Control Protocol Connection Passing, TCPCP, operation, to pass a TCP endpoint from the network data center to the external content provider, or transferring a Transport Layer Security, TLS, protocol endpoint from the network data center to the external content provider. 7. The method of claim 1 , wherein determining whether or not the external content provider is registered for secure-content caching in the network data center comprises accessing a registration data store in the network data center to determine whether the registration data store contains registration information corresponding to domain name information conveyed in the secure connection request. 8. The method of claim 1 , wherein determining whether the content targeted by the secure connection request is available from the content cache of the network data center comprises accessing a content-listing data store in the network data center to determine whether the content-listing data store contains listing information corresponding to a content identifier conveyed in the secure connection request. 9. A network data center configured for operation in a telecommunication network and further configured for providing content over a secure connection to a subscriber device of the telecommunication network, said network data center comprising at least one network node that comprises: a first communication interface configured to receive a secure connection request from the subscriber device, said secure connection request being directed to an external network address associated with an external content provider that is external to the telecommunication network; and processing circuitry configured to determine whether or not the external content provider is registered for secure-content caching in the network data center; and responsive to determining that the external content provider is registered: establish a secure session between the network data center and the subscriber device, including establishing a session key for encrypting communications over the secure session; determine whether the content targeted by the secure connection request is available from a content cache of the network data center; responsive to determining that the content targeted by the secure connection request is available from the content cache, deliver the content targeted by the secure connection request from the content cache to the subscriber device using the secure session; and responsive to determining that the content targeted by the secure connection request is not available from the content cache: initiate a takeover of the secure session by the external content provider by forwarding session information towards the external content provider via a second communication interface of the network data center, said session information including the session key, a network address of the subscriber device, and identification of the content targeted by the secure connection request; and instruct the telecommunication network to forward all subsequent session messages from the subscriber device for the secure session towards the external content provider rather than towards the network data center. 10. The network data center of claim 9 , wherein the first communication interface is configured to receive the secure connection request as forwarded from a serving packet gateway of the telecommunication network. 11. The network data center of claim 10 , wherein the processing circuitry is configured to instruct the telecommunication network to forward all subsequent session messages from the subscriber device for the secure session towards the external content provider by sending control signaling to the serving packet gateway via the first communication interface. 12. The network data center of claim 9 , wherein the external content provider comprises an external content delivery network that is accessible via one or more external packet data networks, and wherein the processing circuitry is configured to initiate the takeover of the secure session by the external content provider by initiating a communication with the external content delivery network via the second communication interface. 13.