SSL/TLS renegotiation is a process that involves the full SSL handshake process taking place over an already existing SSL connection. The process can be initiated by the server or by the client.
GFI WebMonitor offers the option to have HTTPS Scanning enabled. This option allows GFI WebMonitor to intercept the encrypted traffic and apply the web policies. The way SSL negotiation works depends on whether HTTPS Scanning is enabled.
If HTTPS Scanning is not enabled
In this case, after the CONNECT message, the proxy just passes forward the encrypted traffic between the client and the server until the connection is closed or becomes idle. The proxy should not interfere with the SSL/TLS renegotiation in this case because the client and server are talking directly to each other. It is the same case as when a proxy is not used.
If HTTPS Scanning is enabled
For secured connections, the proxy uses the SslStream component which is part of the .Net Framework provided by Microsoft. This component is responsible for handling the secure channel used by the proxy to send/receive HTTP messages.
The establishment of the secure channel (negotiation, renegotiation, resumption), encryption and decryption take place in SslStream component below the application layer where the proxy receives/parses/sends HTTPS requests.
The renegotiation initiated by the server is handled by the SslStream instance that is opened between the proxy and the server, while the connection opened between the client and the proxy is not affected.
The renegotiation requested by the client is handled by the SslStream instance that is opened between the client and the proxy, while the connection between the proxy and the server is not affected.