The HTTPS scanning process ensures that SSL-secured web traffic can be processed and made available to other filtering functions. As an administrator, you can use several configuration items to modify this process.
HTTPS scanning rules
The rules that control HTTPS scanning are usually contained in one rule set that has several nested rule sets. Each of the nested rule sets controls a particular function of the process:
- Handle the CONNECT call — There is a rule set with rules for handling the CONNECT call, which is sent at the beginning of SSL-secured communication under the HTTPS protocol.
- Verify certificates — There are rule sets for verifying certificates that are submitted by clients and servers in SSL-secured communication, for example, by verifying the common names in these certificates.
- This part of the process allows verification for both explicit proxy and transparent setups.
- Enable content inspection — Another rule set contains rules for enabling the inspection of content that is transferred in SSL-secured communication.
To find out whether an object is infected, the rule calls the Anti-Malware module, which scans the object and lets the rule know about the result.
Whitelisting rules can be placed and processed in this rule set before the blocking rule. If any of them applies, the blocking rule is skipped and the whitelisted objects are not scanned.
You can review the rules that are implemented on the appliance for HTTPS scanning, modify or delete them, and also create your own rules.
When the default rule set system is implemented, a rule set for HTTPS scanning is included. Its name is HTTPS Scanning. However, the rule set is not enabled initially.
Whitelists and other lists for HTTPS scanning
Whitelists are used by the HTTPS scanning rules to let web objects skip parts of the process. For example, a certificate whitelist exempts certificates from undergoing verification.
Other lists used in HTTPS scanning contain the port numbers that are allowed in CONNECT calls if these are to be accepted or the servers that require a special kind of certificate verification because a particular method of exchanging keys cannot be applied on them.
You can add entries to these lists or remove entries. You can also create your own lists and let them be used by the SSL scanning rules.
Modules for HTTPS scanning
The following modules (also know as engines) are called by the HTTPS scanning rules to perform different parts of the SSL scanning process:
- SSL Scanner — Handles certificate verification or the enabling of content inspection, depending on the settings it runs with.
Accordingly, the module is called by the rules for certificate verification and content inspection with different settings.
- Modules for setting the client context — Handle the submitting of a certificate for the appliance to the clients that send requests to it in SSL-secured communication.
When this certificate is submitted, the Certificate Authority (CA) that issued the certificate can be sent with it or not. Accordingly, there is a module for submitting a certificate with and another module for submitting a certificate without its certificate authority.
The HTTPS Scanning (SSL Scanner) rule set of the default system, uses the method of submitting a certificate with its certificate authority.
Best practice: Replace the default certificate authority that is provided for use after the initial setup with a
certificate authority of your own for further use.
- Certificate Chain — Handles the building of a certificate chain
When building the chain, the module uses a list of certificate authorities for the certificates that are included in the chain. You can add certificate authorities to existing lists and also add new lists.