Complete rules of the HTTPS Scanning rule set

When working with the complete rules of the HTTPS Scanning rule set, all rules and rule elements of this rule set can be viewed and configured.

Default rule set — HTTPS Scanning
Criteria — Always
Cycles — Requests (and IM)
This rule set is part of the default rule set system, but not enabled by default.
The following rule sets are nested in this rule set:
  • Handle CONNECT Call
  • Certificate Verification
    • Verify Signature Algorithms
    • Verify Common Name (Proxy Setup)
  • Content Inspection
  • Verify Common Name (Transparent Setup)

Handle CONNECT Call

This nested rule set handles the CONNECT call in SSL-secured communication and enables certificate verification.

Nested library rule set — Handle CONNECT Call
Criteria — Command.Name equals “CONNECT”
Cycles — Requests (and IM)

The rule set criteria specifies that the rule set applies when a request is received on the appliance that contains the CONNECT command, which is sent in the opening phase of SSL-secured communication.

The rule set contains the following rules:

Set client context
Always –> Continue — Enable SSL Client Context with CA <Default CA>
The rule enables the use of a server certificate that is sent to a client.
The event settings specify the McAfee Web Gateway root certificate authority (CA), which is implemented on the appliance after the initial setup, as the default issuer of this certificate.
The Continue action lets processing continue with the next rule.
Tunneled hosts
URL.Host is in list SSL Host Tunnel List –> Stop Cycle
The rule lets requests for access to hosts with a URL that is on the specified whitelist skip HTTPS scanning.
Restrict destination ports to Allowed CONNECT Ports
URL.Port is not in list Allowed Connect Ports –> Block<Connect not allowed>
The rule blocks requests with destination ports that are not on the list of allowed CONNECT ports.
The action settings specify a message to the requesting user.
Enable certificate verification without EDH for hosts in no-EDH server list
URL.Host is in list No-EDH server –> Block<Connect not allowed> Stop Rule Set — Enable SSL Scanner<Certificate Verification without edh>
The rule enables the certificate verification for requests sent from a host on the non-EDH (Ephemeral Diffie-Hellman) server list.
The action settings specify a message to the requesting user.
The event settings specify running in verification mode for the SSL Scanner module and a special cipher string for data encryption on non-EDH hosts.
Enable certificate verification
Always –> Stop Rule Set — Enable SSL Scanner<Default certificate verification>
The rule enables certificate verification.
The event settings specify that the SSL Scanner module runs in verification mode.

Certificate Verification

This nested rule set handles the CERTVERIFY call in SSL-secured communication. It lets whitelisted certificates skip verification and blocks others according to particular criteria.

Nested library rule set — Certificate Verification
Criteria — Command.Name equals “CERTVERIFY*
Cycles — Requests (and IM)

The rule criteria specifies that the rule set applies if a request is received on the appliance that contains the CERTVERIFY command, which is sent to request the verification of a certificate.

The following rule sets are nested in this rule set:

  • Verify Signature Algorithms
  • Verify Common Name (Proxy Setup)

The rule set contains the following rules:

Skip verification for certificates found in Certificate Whitelist
SSL.Server.Certificate.HostAndCertificate is in list Certificate Whitelist –> Stop Rule Set
The rule lets whitelisted certificates skip verification.
Block self-signed certificates
SSL.Server.Certificate.SelfSigned equals true –> Block <Certificate incident>
The rule blocks requests with self-signed certificates.
The action settings specify a message to the requesting user.
Block expired server (7 day tolerance) and expired CA certificates
SSL.Server.Certificate.DaysExpired greater than 7 OR SSL.Server.CertificateChain.ContainsExpiredCA<Default> equals true –> Block <Certificate incident>
The rule blocks requests with expired server and CA certificates.
The action settings specify a message to the requesting user.
Block too long certificate chains
SSL.Server.CertificateChain.PathLengthExceeded<Default> equals true –> Block <Certificate incident>
The rule blocks a certificate chain if it exceeds the path length.
The settings in the property specify a list for the module that checks the certificate authorities.
The action settings specify a message to the requesting user.
Block revoked certificates
SSL.Server.CertificateChain.ContainsRevoked<Default> equals true –> Block <Certificate incident>
The rule blocks a certificate chain if one of the included certificates has been revoked.
The settings in the property specify a list for the module that checks the certificate authorities.
The action settings specify a message to the requesting user.
Paranoid Certificate Chain Verification
SSL.Server.CertificateChain.AllRevocationStatusesKnown<Default> equals false OR SSL.Server.CertificateChain.IsComplete<Default> equals false –> Block <Certificate incident>
The rule blocks a certificate chain if the revocation status of at least one certificate is unknown or if the certificate chaiin is incomplete.
The settings in the property specify a list for the module that checks the certificate authorities.
The action settings specify a message to the requesting user.
Block unknown certificate authorities
SSL.Server.CertificateChain.FoundKnownCA<Default> equals false –> Block <Certificate incident>
The rule blocks a certificate chain if none of the certificate authorities (CAs) issuing the included certificates is a known CA.
The settings in the property specify a list for the module that checks the certificate authorities.
The action settings specify a message to the requesting user.
Block untrusted certificate authorities
SSL.Server.FirstKnownCAIsTrusted<Default> equals false –> Block <Certificate incident>
The rule blocks a certificate chain if the first known CA that was found is not trusted.
The settings in the property specify a list for the module that checks the certificate authorities.
The action settings specify a message to the requesting user.

Verify Signature Algorithms

This nested rule set verifies the algorithms that are used in creating signatures for certificates.

Nested library rule set – Verify Signature Algorithms
Criteria – Always
Cycles – Requests (and IM)

The rule criteria specifies that the rule set applies for all requests that are received.

The rule set contains the following rules:

Verify signature algorithms
SSL.Server.Certificate.SignatureMethod is in list Safe Signature Algorithms AND SSL.Server.CertificateChain.SignatureMethods<Default> is in list Safe Signature Algorithms –> Stop Rule Set
The rule uses the SSL.Server.Certificate.SignatureMethod and SSL.Server.CertificateChain.SignatureMethods properties to check whether a signature algorithm for a certificate that was sent with a request is on both of the two lists referred to in the rule criteria.
If a signature algorithm is on these lists, processing of the rule set stops, so the blocking rule that follows this rule is not processed anymore.
Block unsafe signature algorithms
Always –> Block <Certificate incident>
The rule blocks any request that has passed the filtering that was performed when processing the preceding rule. This means that blocking will occur whenever a signature algorithm is not on the lists used in that rule.
The action settings specify a message to the requesting user.

Verify Common Name (Proxy Setup)

This nested rule set verifies the common name in a certificate. It applies to requests sent in explicit proxy mode.

Nested library rule set — Verify Common Name (Proxy Setup)
Criteria — Connection.SSL.TransparentCNHandling equals false
Cycles — Requests (and IM)

The rule criteria specifies that the rule set applies if a request is received on a connection used in SSL-secured communication and verification of the common name is not performed in transparent mode.

The rule set contains the following rules:

Allow matching hostname
URL.Host equals Certificate.SSL.CN –> Stop Rule Set
The rule allows a request if the URL of the requested host is the same as the common name in the certificate.
Allow wildcard certificates
Certificate.SSL.CN.HasWildcards equals true AND URL.Host matches.Certificate.SSL.CN.ToRegex(Certificate.SSL.CN) –> Stop Rule Set
The rule allows requests to hosts sending certificates that have wildcards in their common names matching the URLs of the hosts.
To verify that a common name containing wildcards matches a host, this name is converted into a regular expression.
Allow alternative common names
URL.Host is in list Certificate.SSL.AlternativeCNs –> Stop Rule Set
The rule allows requests to hosts with alternative common names in their certificates if the host matches at least one of them.
Block incident
Always –> Block <Common name mismatch>
If any of the rules for allowing matching common names applies, processing of the rule set stops and this rule is not processed. Otherwise, requests are blocked by this rule because it is then a common name mismatch.
The action settings specify a message to the requesting user.

Content Inspection

This nested rule set completes the handling of a CERTVERIFY call. It lets some requests skip content inspection according to particular criteria and enables inspection for all others.

Nested library rule set — Content Inspection
Criteria — Command.Name equals “CERTVERIFY*
Cycles — Requests (and IM)

The rule criteria specifies that the rule set applies if a request is received on the appliance that contains the CERTVERIFY command, which is sent to request the verification of a certificate.

The rule set contains the following rules:

Skip content inspection for hosts found in SSL Inspection Whitelist
Connection.SSL.Transparent equals false AND URL.Host matches in list SSL Inspection Whitelist –> Stop Rule Set
The rule lets requests sent to whitelisted hosts skip content inspection. It applies only in non-transparent mode.
Skip content inspection for CN found in SSL Inspection Whitelist
Connection.SSL.Transparent equals true AND Certificate.SSL.CN matches in list SSL Inspection Whitelist –> Stop Rule Set
The rule lets requests with whitelisted common names in their certificates skip content inspection. It applies only in transparent mode.
The rule is not enabled initially.
Do not inspect connections with client certificates
Connection.Client.CertificateIsRequested equals true –> Stop Rule Set
The rule lets requests skip inspection if they require the use of client certificates.
The rule is not enabled initially.
Enable content inspection
Always –> Continue — Enable SSL Scanner<Enable content inspection>
The rule enables content inspection.
The event settings specify that the SSL Scanner module runs in inspection mode.
If any of the rules for skipping content inspection applies, processing of the rule set stops and this last rule, which enables the inspection, is not processed. Otherwise, content inspection is enabled by this rule.

Verify Common Name (Transparent Setup)

This nested rule set verifies the common name in a certificate. It applies to requests sent in explicit proxy mode. It applies only to requests sent in transparent mode.

With requests sent in explicit proxy mode, the host name that is compared to the common name is taken from the CONNECT request that a client sends.

As in transparent mode no CONNECT request is sent, the host name is taken from the request for web access that a client sends.

Nested library rule set — Verify Common Name (Transparent Setup)
Criteria — Connection.SSL.TransparentCNHandling equals true AND Command.Name does not equal “CONNECT” AND Command.Name does not equal “CERTVERIFY”
Cycles — Requests (and IM)

The rule criteria specifies that the rule set applies if a request is received on a connection used in SSL-secured communication and verification of the common name is performed in transparent mode.

The rule set contains the following rules:

Allow matching hostname
URL.Host equals Certificate.SSL.CN –> Stop Rule Set
The rule allows a request if the URL of the requested host is the same as the common name in the certificate.
Allow wildcard certificates
Certificate.SSL.CN.HasWildcards equals true AND URL.Host matches.Certificate.SSL.CN.ToRegex(Certificate.SSL.CN) –> Stop Rule Set
The rule allows requests to hosts sending certificates that have wildcards in their common names matching the URLs of the hosts.
To verify that a common name containing wildcards matches a host, this name is converted into a regular expression.
Allow alternative common names
URL.Host is in list Certificate.SSL.AlternativeCNs –> Stop Rule Set
The rule allows requests to hosts with alternative common names in their certificates if the host matches at least one of them.
Block incident
Always –> Block <Common name mismatch>
If any of the rules for allowing matching common names applies, processing of the rule set stops and this rule is not processed. Otherwise, requests are blocked by this rule because it is then a common name mismatch.
The action settings specify a message to the requesting user.