I can also block https by blocking port 443 that´s not the point. The point is to block "bad" 443 port traffic and let "good" traffic pass.
One thing that might be able to be done is to limit on the amount of traffic that can pass through any given HTTPS (443) connection. Namely if an HTTPS connection is on going and has carried a meg of data or more (any thing that would be more than any legitimate HTTPS web submit would be) you could probably know that the traffic was not standard HTTPS traffic and thus safe to shut down. This might trap some STunnel (?) (SSL tunneling) but then you would know the IP of the other end and you could explicitly allow ongoing HTTPS connections to that IP. This amount of data match could possibly be matched via the "connbyes" match extension from Patch - O - Matic Extra Repository.
Grant. . . .