Bit of background, for every SSL connection there will be two or more traces associated with that connection.
1) The SSL handshake
2) The requests inside the SSL tunnel
The rule trace you're looking at is the SSL handshake (1). The first cycle is the CONNECT request, it is plaintext HTTP, as such, the Connection.Protocol is HTTP. The second cycle (in the same trace) is the "CERTVERIFY" whereby the MWG has connected to the server and obtained the certificate, this allows us to write rules based on the certificate and ssl handshake properties. The Connection.Protocol for the second cycle is SSL, as you found.
In a rule trace that follows this one is the request inside the SSL tunnel (assuming content inspection is enabled). This is where the Connection.Protocol is HTTPS.
Hope this helps!
Many thanks for the clarification.