Showing results for 
Search instead for 
Did you mean: 

SSL Scanner Practice: why not Stop Cycle?

Theory & practice question for the community...

For some time I’ve been struggling with a decision on what is the best way to handle HTTPS sites where we want to allow users to access a very specific URL but not the site as a whole. Today, when certificate verification is enabled, the request continues to be further evaluated based on the CONNECT event, and the URL path is not yet available, thus we have to allow the CONNECT request for any site where a specific URL is going to be allowed, and then we re-evaluate based on the CERTVERIFY and GET (or other HTTP method) requests.

The questions I want to raise for opinions are these:

1. If we’re enabling cert verification for a given CONNECT request (which is nearly all CONNECT events), is there a reason why we should further evaluate the request in that cycle (since that’s how the SSL Scanner rule set from the stock content library does it), or would it not be better to Stop Cycle on those events since the CERTVERIFY event will immediately follow and not match on that rule set anyway?

2. Same as above, but for content inspection… should we not Stop Cycle on the "Enable Content Inspection" rules too so that subsequent requests can be evaluated based on their real HTTP methods of GET, POST, etc.?

Eager for your feedback.



0 Kudos