SSL scanning

SSL scanning ensures that SSL-secured web traffic can be processed and made available to other filtering functions on Web Gateway. This scanning mode is also known as HTTPS scanning.

The SSL or HTTPS scanning process includes several elements, which contribute to this it in different ways.

  • SSL scanning rules control the process.
  • Whitelists and other lists that are used by the rules to let web objects skip SSL scanning and to perform other functions within the process.
  • SSL scanning modules, which are called by the rules, perform certificate verification and other functions within the process .

SSL scanning rules

The rules that control SSL scanning are usually contained in one rule set that has several nested rule sets. Each of the nested rule sets controls a particular function of the SSL scanning process:

  • Handle the CONNECT call — There is a rule set with rules for handling the CONNECT call, which is sent at the beginning of SSL-secured communication under the HTTPS protocol.
  • Verify certificates — There are rule sets for verifying certificates that are submitted by clients and servers in SSL-secured communication, for example, by verifying the common names in these certificates.

    This part of the process allows verification for both explicit proxy and transparent setups.

  • Enable content inspection — Another rule set contains rules for enabling the inspection of content that is transferred in SSL-secured communication.

To find out whether an object is infected, the rule calls the Anti-Malware module, which scans the object and lets the rule know about the result.

Whitelisting rules can be placed and processed in this rule set before the blocking rule. If any of them applies, the blocking rule is skipped and the whitelisted objects are not scanned.

You can review the rules that are implemented on the appliance for SSL scanning, modify or delete them, and also create your own rules.

When the default rule set system is implemented, a rule set for SSL scanning is included. Its name is HTTPS Scanning. However, the rule set is not enabled initially.

Whitelists and other lists for SSL scanning

Whitelists are used by the SSL scanning rules to let web objects skip parts of the process. For example, a certificate whitelist exempts certificates from undergoing verification.

Other lists used in SSL scanning contain the port numbers that are allowed in CONNECT calls if these are to be accepted or the servers that require a special kind of certificate verification because a particular method of exchanging keys cannot be applied on them.

You can add entries to these lists or remove entries. You can also create your own lists and let them be used by the SSL scanning rules.

Modules for SSL scanning

The following modules (also know as engines) are called by the SSL scanning rules to perform different parts of the SSL scanning process:

  • SSL Scanner — Handles certificate verification or the enabling of content inspection, depending on the settings it runs with.

    Accordingly, the module is called by the rules for certificate verification and content inspection with different settings.

  • Modules for setting the client context — Handle the submitting of a certificate for the appliance to the clients that send requests to it in SSL-secured communication.

    When this certificate is submitted, the certificate authority (CA) that issued the certificate can be sent with it or not. Accordingly, there is a module for submitting a certificate with and another module for submitting a certificate without its certificate authority.

    The SSL Scanner rule set of the default system, uses the method of submitting a certificate with its certificate authority.

    Tip: Best practice: Replace the default certificate authority that is provided for use after the initial setup with a certificate authority of your own for further use.
  • Certificate Chain — Handles the building of a certificate chain

    When building the chain, the module uses a list of certificate authorities for the certificates that are included in the chain. You can add certificate authorities to existing lists and also add new lists.