CN117411701A - SSL unified certificate unloading system and equipment - Google Patents

SSL unified certificate unloading system and equipment Download PDF

Info

Publication number
CN117411701A
CN117411701A CN202311431309.1A CN202311431309A CN117411701A CN 117411701 A CN117411701 A CN 117411701A CN 202311431309 A CN202311431309 A CN 202311431309A CN 117411701 A CN117411701 A CN 117411701A
Authority
CN
China
Prior art keywords
ssl
certificate
ssl certificate
unified
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311431309.1A
Other languages
Chinese (zh)
Inventor
杨航
张健
温诗华
陈强
全雪霞
谢林江
黄士超
黄宇
罗升斯
李寒箬
刘家豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Southern Power Grid Co Ltd
Original Assignee
China Southern Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Southern Power Grid Co Ltd filed Critical China Southern Power Grid Co Ltd
Priority to CN202311431309.1A priority Critical patent/CN117411701A/en
Publication of CN117411701A publication Critical patent/CN117411701A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses an SSL unified certificate unloading system and equipment, comprising the following steps: acquiring an SSL certificate from an SSL certificate management system in response to a request sent by a target client through a transmission security protocol sent by an SSL certificate management server; the obtained SSL certificates are sent to nodes in the corresponding group, the nodes correspond to the corresponding domain names and the back-end application servers respectively, verification is carried out on the single SSL certificates based on the corresponding node information, and the nodes return verification results; and decrypting the verified SSL certificate in the local memory of the SSL certificate management server to acquire a target decryption key corresponding to the target client. By the method and the system, the problem that verification and decryption are difficult when the SSL certificate is unloaded is solved, so that the SSL certificate is verified when unloaded, and the unloading is executed after the verification is error-free, and the confidentiality and the security of system communication can be improved.

Description

SSL unified certificate unloading system and equipment
Technical Field
The invention relates to the technical field of network security, in particular to an SSL unified certificate unloading system and equipment.
Background
SSL certificates are issued by a trusted digital certificate authority CA after verifying the identity of a server, following the SSL protocol, and have server identity verification and data transmission encryption functions. SSL certificates are designed and developed by Netscape Communication company by establishing an SSL secure channel between the client browser and the Web server. The security protocol is mainly used for providing authentication for users and servers; encrypting and hiding the transmitted data; ensuring that data is not altered in transmission, i.e., the integrity of the data, has become a global standard in the art. Because the SSL technology is established in all main browser and WEB server programs, the function can be activated only by installing a server certificate, namely, the SSL protocol can be activated by the SSL technology, so that the encrypted transmission of data information between a client and a server can be realized, the leakage of the data information can be prevented, the safety of information transfer of both parties is ensured, and a user can verify whether a website accessed by the user is real and reliable through the server certificate.
With the increasing size of SSL traffic, its drawbacks are also becoming apparent, the first of which is SSL delay. In HTTPS, SSL handshake is also required to be completed after TCP handshake protocol is completed, so HTTPS is more time-consuming than HTTP; meanwhile, after handshake, the server needs to use extra processing capacity to encrypt and decrypt the transmitted data, so that the processing performance of the server is inevitably consumed by the online encryption operation of SSL, and in visual sense, after one server starts SSL encryption, the performance of the server only reaches 20% of the original performance, and the rest 80% of the calculation performance is consumed in the encryption operation of SSL. Therefore, temporary uninstallation or permanent uninstallation of SSL certificates that are not commonly used or even unused is required.
CN115529186a discloses an SSL certificate unloading method, device and system based on soft load balancing, the method comprises: the method comprises the steps that a target decryption key corresponding to a target client is obtained in a local memory of a soft load balancing server through responding to an https request sent by the target client through the load balancing forwarding server; SSL certificate unloading processing is carried out on the https request through the target decryption key, and an http request corresponding to the target client is obtained; and sending the http request to the mobile office service system to control the target client to the mobile office service system in a soft load balancing mode. By the method, the problem of difficult request analysis caused by incapability of using general load balancing is solved, so that a decryption key does not need to be stored in a target client, and confidentiality and security of system communication can be improved. The invention described above is directed to SSL certificate offloading for banking systems and has no general applicability.
Existing SSL certificates can typically be a certificate chain structure that contains multiple levels. Under the condition, in the process of verifying the SSL certificate by the client, the SSL certificate chain corresponding to the server needs to be kept complete, so that the client can normally access the server through SSL certificate verification, and based on the SSL certificate, the SSL certificates of all nodes are basically loaded or updated by manual work, so that the workload is large, the operation is complicated, the data safety of the whole network is affected by a little error, and therefore, the SSL unified certificate unloading system and equipment are provided.
Disclosure of Invention
The invention aims to provide an SSL unified certificate unloading system and equipment for solving the problems in the background technology.
In order to achieve the above purpose, the present invention provides the following technical solutions:
according to an aspect of the present invention, there is provided an SSL unified certificate offload method performed by an SSL certificate management server, comprising the steps of:
s1, acquiring an SSL certificate, and responding to a request sent by a target client through a transmission security protocol sent by an SSL certificate management server, and acquiring the SSL certificate from an SSL certificate management system;
s2, verifying the SSL certificates, sending the obtained SSL certificates to nodes in a corresponding group, wherein the nodes respectively correspond to the corresponding domain names and the back-end application servers, verifying the single SSL certificates based on corresponding node information, and returning a verification result;
s3, decrypting the SSL certificate, and decrypting the verified SSL certificate in a local memory of the SSL certificate management server to obtain a target decryption key corresponding to the target client;
s4, unloading the SSL certificate, carrying out SSL certificate unloading processing on the request sent by the transmission security protocol through the target decryption key, obtaining a response of the request sent by the transmission security protocol corresponding to the target client, and sending the response to the target client and the SSL certificate management system;
s5, logging and monitoring, wherein in the process of unloading the SSL certificate, the system monitors in real time, and monitoring items comprise a CPU and a memory condition.
Preferably, in S1, the transmission security protocols include HTTPS, POP3S, SMTPS and IMAPS.
Preferably, in S2, each SSL service is load balanced separately during verification, and verification items include, but are not limited to, polling, weighted polling, minimum number of connections, static proximity, dynamic proximity.
Preferably, in S3, the configuration of the decryption policy based on the source security domain, the destination security domain, the source address, the destination address, and the SSL protocol service is supported, and the configuration of the decryption or non-decryption is performed according to the action setting, and the exception setting may be performed based on the security domains, the IPv4 and the IPv6 addresses, while supporting mirroring of the decrypted traffic to other devices for analysis and statistics.
Preferably, in S3, decryption is performed by a built-in algorithm package, the algorithm package including a symmetric cryptographic algorithm including, but not limited to, DES (56 bits), 3DES (168 bits), AES (128 bits), and blowfish, and a hash algorithm including, but not limited to, RSA, DSA, and DH, and including, but not limited to, MD5, SHA, base64, and CRC.
Preferably, in S5, the uplink and downlink flows of the device are supported to be dynamically displayed in real time in a chart form, the automatic refreshing is supported to be supported to display log information of each module, and the log of the user login and the log of the resource access can be checked.
According to another aspect of the present invention, there is provided an SSL unified certificate offload system, comprising:
the SSL certificate acquisition module is used for responding to a request sent by a target client through a transmission security protocol sent by the SSL certificate management server and acquiring an SSL certificate from the SSL certificate management system;
the SSL certificate verification module is used for sending the acquired SSL certificates to nodes in the corresponding group, the nodes respectively correspond to the corresponding domain names and the back-end application servers, verification is carried out on the single SSL certificates based on the corresponding node information, and the nodes return verification results;
the SSL certificate decryption module is used for decrypting the verified SSL certificate in the local memory of the SSL certificate management server to obtain a target decryption key corresponding to the target client;
the request response module is used for carrying out SSL certificate unloading processing on the request sent by the transmission security protocol through the target decryption key to obtain the response of the request sent by the transmission security protocol corresponding to the target client;
the response sending module is used for sending the response of the request sent by the transmission security protocol to the target client and the SSL certificate management system;
the log monitoring module is used for monitoring the system in real time in the process of unloading the SSL certificate, and monitoring items comprise a CPU and a memory condition;
and the SSL certificate batch execution module is used for batch import, batch decryption and batch uninstallation of the SSL certificates.
Preferably, the method further comprises: the alarm display module is used for supporting CPU alarm, memory alarm, SSL connection number alarm, manager account login locking alarm and user account login locking alarm, and the alarm modes are mail, short message, mail and short message.
Preferably, the method further comprises: and the interface integration module supports the integration of interfaces with a third party platform or system according to the requirements of clients.
According to another aspect of the present invention, there is provided an SSL unified certificate offload device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the SSL unified certificate offload method according to the present invention when executing the computer program.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the SSL uniform certificate offload method of the present invention when executed.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides an SSL certificate unloading method, which comprises the steps of acquiring an SSL certificate, responding to a request sent by a target client through a transmission security protocol sent by an SSL certificate management server, and acquiring the SSL certificate from an SSL certificate management system; verifying the SSL certificates, sending the obtained SSL certificates to nodes in the corresponding group, wherein the nodes respectively correspond to the corresponding domain names and the back-end application servers, verifying the single SSL certificates based on the corresponding node information, and returning a verification result; decrypting the SSL certificate, and decrypting the verified SSL certificate in a local memory of the SSL certificate management server to obtain a target decryption key corresponding to the target client; unloading the SSL certificate, carrying out SSL certificate unloading processing on the request sent by the transmission security protocol through the target decryption key, obtaining the response of the request sent by the transmission security protocol corresponding to the target client, and sending the response to the target client and the SSL certificate management system; and in the process of log and monitoring and unloading the SSL certificate, the system monitors in real time, and monitoring items comprise a CPU and a memory condition.
By the method and the system, the problem that verification and decryption are difficult when the SSL certificate is unloaded is solved, so that the SSL certificate is verified when unloaded, and the unloading is executed after the verification is error-free, and the confidentiality and the security of system communication can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of an SSL unified certificate offload method in the present invention;
FIG. 2 is a system architecture diagram of an SSL unified certificate offload system in accordance with the present invention;
FIG. 3 is a system architecture diagram of one embodiment of an SSL unified certificate offload system in accordance with the present invention;
fig. 4 is a system architecture diagram of another embodiment of the SSL unified certificate offload system in the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
In the description of the present invention, it should be noted that, the azimuth or positional relationship indicated by the terms "inner", "lower", etc. are based on the azimuth or positional relationship shown in the drawings, or the azimuth or positional relationship that the inventive product is conventionally put in use, are merely for convenience of describing the present invention and simplifying the description, and do not indicate or imply that the apparatus or elements referred to must have a specific azimuth, be configured and operated in a specific azimuth, and thus should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like, are used merely to distinguish between descriptions and should not be construed as indicating or implying relative importance.
In the description of the present invention, it should also be noted that, unless explicitly specified and limited otherwise, the terms "disposed", "connected" and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected or integrally connected; the two components can be mechanically connected, can be directly connected or can be indirectly connected through an intermediate medium, and can be communicated with each other. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.
In the present invention, unless expressly stated or limited otherwise, a first feature may include first and second features directly contacting each other, either above or below a second feature, or through additional features contacting each other, rather than directly contacting each other. Moreover, the first feature being above, over, and on the second feature includes the first feature being directly above and obliquely above the second feature, or simply indicating that the first feature is higher in level than the second feature. The first feature being below, beneath, and beneath the second feature includes the first feature being directly below and obliquely below the second feature, or simply indicates that the first feature is less level than the second feature.
As shown in fig. 1, according to an aspect of the present invention, there is provided an SSL unified certificate offload method performed by an SSL certificate management server, comprising the steps of:
s1, acquiring an SSL certificate, and responding to a request sent by a target client through a transmission security protocol sent by an SSL certificate management server, wherein the transmission security protocol comprises HTTPS, POP3S, SMTPS and IMAPS;
s2, verifying the SSL certificates, sending the obtained SSL certificates to nodes in a corresponding group, wherein the nodes respectively correspond to the corresponding domain names and the back-end application servers, verifying the single SSL certificates based on corresponding node information, and returning a verification result;
s3, decrypting the SSL certificate, and decrypting the verified SSL certificate in a local memory of the SSL certificate management server to obtain a target decryption key corresponding to the target client;
s4, unloading the SSL certificate, carrying out SSL certificate unloading processing on the request sent by the transmission security protocol through the target decryption key, obtaining a response of the request sent by the transmission security protocol corresponding to the target client, and sending the response to the target client and the SSL certificate management system;
s5, logging and monitoring, wherein in the process of unloading the SSL certificate, the system monitors in real time, and monitoring items comprise a CPU and a memory condition.
As one of the embodiments, the SSL unified certificate offload method, performed by an SSL certificate management server, includes the steps of:
s1, acquiring an SSL certificate, and responding to a request sent by a target client through a transmission security protocol sent by an SSL certificate management server, and acquiring the SSL certificate from an SSL certificate management system;
s2, verifying SSL certificates, sending the obtained SSL certificates to nodes in a corresponding group, wherein the nodes respectively correspond to corresponding domain names and a back-end application server, verifying single SSL certificates based on corresponding node information, and returning verification results, wherein during verification, load balancing is independently carried out on each SSL service, and verification items comprise but are not limited to polling, weighted polling, minimum connection numbers, static proximity and dynamic proximity;
s3, decrypting the SSL certificate passing verification in a local memory of an SSL certificate management server, supporting configuration of decryption strategies based on a source security domain, a destination security domain, a source address, a destination address and SSL protocol service, performing action setting decryption or non-decryption, performing exception setting based on the security domain, an IPv4 address and an IPv6 address, simultaneously supporting mirroring of decrypted traffic to other equipment for analysis and statistics, and obtaining a target decryption key corresponding to a target client after decryption;
s4, unloading the SSL certificate, carrying out SSL certificate unloading processing on the request sent by the transmission security protocol through the target decryption key, obtaining a response of the request sent by the transmission security protocol corresponding to the target client, and sending the response to the target client and the SSL certificate management system;
s5, logging and monitoring, wherein in the process of unloading the SSL certificate, the system monitors in real time, and monitoring items comprise a CPU and a memory condition.
As one of the embodiments, the SSL unified certificate offload method, performed by an SSL certificate management server, includes the steps of:
s1, acquiring an SSL certificate, and responding to a request sent by a target client through a transmission security protocol sent by an SSL certificate management server, wherein the transmission security protocol comprises HTTPS, POP3S, SMTPS and IMAPS;
s2, verifying the SSL certificates, sending the obtained SSL certificates to nodes in a corresponding group, wherein the nodes respectively correspond to the corresponding domain names and the back-end application servers, verifying the single SSL certificates based on corresponding node information, and returning a verification result;
s3, decrypting the SSL certificate passing verification in a local memory of an SSL certificate management server, decrypting through a built-in algorithm package when decrypting, wherein the algorithm package comprises a symmetric cryptographic algorithm, an asymmetric cryptographic algorithm and a hash algorithm, the symmetric cryptographic algorithm comprises a DES (56 bits), a 3DES (168 bits), an AES (128 bits) and a blowfish algorithm, the asymmetric cryptographic algorithm comprises RSA, DSA and DH algorithms, the hash algorithm comprises MD5, SHA, base64 and CRC algorithm, and a target decryption key corresponding to a target client is obtained after decrypting;
s4, unloading the SSL certificate, carrying out SSL certificate unloading processing on the request sent by the transmission security protocol through the target decryption key, obtaining a response of the request sent by the transmission security protocol corresponding to the target client, and sending the response to the target client and the SSL certificate management system;
s5, logging and monitoring, namely, in the process of unloading the SSL certificate, the system monitors in real time, monitoring items comprise a CPU and a memory, uplink and downlink flow of equipment is supported to be dynamically displayed in real time in a chart form, automatic refreshing is supported, log information of each module is supported to be displayed, and user login logs and resource access logs can be checked.
As shown in fig. 2, according to another aspect of the present invention, there is provided an SSL unified certificate offload system, including:
the SSL certificate acquisition module is used for responding to a request sent by a target client through a transmission security protocol sent by the SSL certificate management server and acquiring an SSL certificate from the SSL certificate management system;
the SSL certificate verification module is used for sending the acquired SSL certificates to nodes in the corresponding group, the nodes respectively correspond to the corresponding domain names and the back-end application servers, verification is carried out on the single SSL certificates based on the corresponding node information, and the nodes return verification results;
the SSL certificate decryption module is used for decrypting the verified SSL certificate in the local memory of the SSL certificate management server to obtain a target decryption key corresponding to the target client;
the request response module is used for carrying out SSL certificate unloading processing on the request sent by the transmission security protocol through the target decryption key to obtain the response of the request sent by the transmission security protocol corresponding to the target client;
the response sending module is used for sending the response of the request sent by the transmission security protocol to the target client and the SSL certificate management system;
the log monitoring module is used for monitoring the system in real time in the process of unloading the SSL certificate, and monitoring items comprise a CPU and a memory condition;
and the SSL certificate batch execution module is used for batch import, batch decryption and batch uninstallation of the SSL certificates. As one embodiment thereof, as shown in fig. 3, the SSL unified certificate offload system includes:
the SSL certificate acquisition module is used for responding to a request sent by a target client through a transmission security protocol sent by the SSL certificate management server and acquiring an SSL certificate from the SSL certificate management system;
the SSL certificate verification module is used for sending the acquired SSL certificates to nodes in the corresponding group, the nodes respectively correspond to the corresponding domain names and the back-end application servers, verification is carried out on the single SSL certificates based on the corresponding node information, and the nodes return verification results;
the SSL certificate decryption module is used for decrypting the verified SSL certificate in the local memory of the SSL certificate management server to obtain a target decryption key corresponding to the target client;
the request response module is used for carrying out SSL certificate unloading processing on the request sent by the transmission security protocol through the target decryption key to obtain the response of the request sent by the transmission security protocol corresponding to the target client;
the response sending module is used for sending the response of the request sent by the transmission security protocol to the target client and the SSL certificate management system;
the log monitoring module is used for monitoring the system in real time in the process of unloading the SSL certificate, and monitoring items comprise a CPU and a memory condition;
the SSL certificate batch execution module is used for batch import, batch decryption and batch unloading of SSL certificates;
the alarm display module is used for supporting CPU alarm, memory alarm, SSL connection number alarm, manager account login locking alarm and user account login locking alarm, and the alarm modes are mail, short message, mail and short message.
As one embodiment thereof, as shown in fig. 4, the SSL unified certificate offload system includes:
the SSL certificate acquisition module is used for responding to a request sent by a target client through a transmission security protocol sent by the SSL certificate management server and acquiring an SSL certificate from the SSL certificate management system;
the SSL certificate verification module is used for sending the acquired SSL certificates to nodes in the corresponding group, the nodes respectively correspond to the corresponding domain names and the back-end application servers, verification is carried out on the single SSL certificates based on the corresponding node information, and the nodes return verification results;
the SSL certificate decryption module is used for decrypting the verified SSL certificate in the local memory of the SSL certificate management server to obtain a target decryption key corresponding to the target client;
the request response module is used for carrying out SSL certificate unloading processing on the request sent by the transmission security protocol through the target decryption key to obtain the response of the request sent by the transmission security protocol corresponding to the target client;
the response sending module is used for sending the response of the request sent by the transmission security protocol to the target client and the SSL certificate management system;
the log monitoring module is used for monitoring the system in real time in the process of unloading the SSL certificate, the monitoring items comprise a CPU and the condition of a memory,
the SSL certificate batch execution module is used for batch import, batch decryption and batch unloading of SSL certificates;
and the interface integration module supports the integration of interfaces with a third party platform or system according to the requirements of clients.
According to another aspect of the present invention, there is provided an SSL unified certificate offload device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the SSL unified certificate offload method according to the present invention when executing the computer program.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the SSL uniform certificate offload method of the present invention when executed.
Meaning and necessity of SSL certificate offloading
With the increasing size of SSL traffic, its drawbacks are also becoming apparent, the first of which is SSL delay. In HTTPS, SSL handshake is also required to be completed after TCP handshake protocol is completed, so HTTPS is more time-consuming than HTTP; meanwhile, after handshake, the server needs to use extra processing capacity to encrypt and decrypt the transmitted data, so that the processing performance of the server is inevitably consumed by the online encryption operation of SSL, and in visual sense, after one server starts SSL encryption, the performance of the server only reaches 20% of the original performance, and the rest 80% of the calculation performance is consumed in the encryption operation of SSL.
The SSL offloading technique now solves the above problems: SSL encryption and decryption processes in the HTTPS application access process are transferred to A Specific Integrated Circuit (ASIC) processor, so that the processing capacity is released for a program or a website while the high concurrent access requirement is met, the performance pressure of a server side is reduced, and the access response speed of a client side is finally improved.
However, because SSL encrypts application layer data, devices such as a load balancer cannot extract cookies, URLs, paths, etc. in a user session. Therefore, through SSL unloading technology, on one hand, the system load is comprehensively unloaded, and on the other hand, the SSL encrypted data is fused into the processor.
The principle of SSL offloading is to intercept encrypted traffic before it reaches the server, and then decrypt and analyze such traffic at the application delivery controller (ADC or SSL terminated dedicated device (instead of the application server).
In the description of the present specification, the descriptions of the terms "one embodiment," "example," "specific example," and the like, mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Finally, it should be noted that the above-disclosed preferred embodiments of the invention are merely intended to help illustrate the invention. The preferred embodiments are not exhaustive or to limit the invention to the precise form disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best understand and utilize the invention. The invention is limited only by the claims and the full scope and equivalents thereof.

Claims (10)

  1. An SSL unified certificate offload method, characterized by being executed by an SSL certificate management server, comprising the steps of:
    s1, acquiring an SSL certificate, and responding to a request sent by a target client through a transmission security protocol sent by an SSL certificate management server, and acquiring the SSL certificate from an SSL certificate management system;
    s2, verifying the SSL certificates, sending the obtained SSL certificates to nodes in a corresponding group, wherein the nodes respectively correspond to the corresponding domain names and the back-end application servers, verifying the single SSL certificates based on corresponding node information, and returning a verification result;
    s3, decrypting the SSL certificate, and decrypting the verified SSL certificate in a local memory of the SSL certificate management server to obtain a target decryption key corresponding to the target client;
    s4, unloading the SSL certificate, carrying out SSL certificate unloading processing on the request sent by the transmission security protocol through the target decryption key, obtaining a response of the request sent by the transmission security protocol corresponding to the target client, and sending the response to the target client and the SSL certificate management system;
    s5, logging and monitoring, wherein in the process of unloading the SSL certificate, the system monitors in real time, and monitoring items comprise a CPU and a memory condition.
  2. 2. The SSL unified certificate offload method as claimed in claim 1, wherein: in S1, the transmission security protocols include HTTPS, POP3S, SMTPS, and IMAPS.
  3. 3. The SSL unified certificate offload method as claimed in claim 1, wherein: in S2, each SSL traffic is load balanced separately during authentication, and the authentication items include, but are not limited to, polling, weighted polling, minimum number of connections, static proximity, dynamic proximity.
  4. 4. The SSL unified certificate offload method as claimed in claim 1, wherein: in S3, the support configuration is based on the source security domain, the destination security domain, the source address, the destination address and the decryption strategy of SSL protocol service, the action setting decryption or not, the exception setting can be carried out based on the security domain, the IPv4 address and the IPv6 address, and meanwhile, the support is that the decrypted flow is mirrored to other devices for analysis statistics.
  5. 5. The SSL unified certificate offload method as set forth in claim 4, wherein: in S3, decryption is performed by a built-in algorithm package, the algorithm package including a symmetric cryptographic algorithm including, but not limited to, DES (56 bits), 3DES (168 bits), AES (128 bits), and blowfish, and a hash algorithm including, but not limited to, RSA, DSA, and DH, and including, but not limited to, MD5, SHA, base64, and CRC.
  6. 6. The SSL unified certificate offload method as claimed in claim 1, wherein: and S5, supporting the real-time dynamic display of the uplink and downlink flow of the equipment in the form of a chart, supporting the automatic refreshing, supporting the display of log information of each module, and viewing the log of user login and the log of resource access.
  7. An ssl unified certificate offload system comprising:
    the SSL certificate acquisition module is used for responding to a request sent by a target client through a transmission security protocol sent by the SSL certificate management server and acquiring an SSL certificate from the SSL certificate management system;
    the SSL certificate verification module is used for sending the acquired SSL certificates to nodes in the corresponding group, the nodes respectively correspond to the corresponding domain names and the back-end application servers, verification is carried out on the single SSL certificates based on the corresponding node information, and the nodes return verification results;
    the SSL certificate decryption module is used for decrypting the verified SSL certificate in the local memory of the SSL certificate management server to obtain a target decryption key corresponding to the target client;
    the request response module is used for carrying out SSL certificate unloading processing on the request sent by the transmission security protocol through the target decryption key to obtain the response of the request sent by the transmission security protocol corresponding to the target client;
    the response sending module is used for sending the response of the request sent by the transmission security protocol to the target client and the SSL certificate management system;
    the log monitoring module is used for monitoring the system in real time in the process of unloading the SSL certificate, the monitoring items comprise a CPU and the condition of a memory,
    and the SSL certificate batch execution module is used for batch import, batch decryption and batch uninstallation of the SSL certificates.
  8. 8. The SSL unified certificate offload system of claim 7, further comprising: the alarm display module is used for supporting CPU alarm, memory alarm, SSL connection number alarm, manager account login locking alarm and user account login locking alarm, and the alarm modes are mail, short message, mail and short message.
  9. 9. The SSL unified certificate offload system of claim 7, further comprising: and the interface integration module supports the integration of interfaces with a third party platform or system according to the requirements of clients.
  10. SSL unified certificate offload device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the SSL unified certificate offload method according to any of the claims 1-6 when executing the computer program.
CN202311431309.1A 2023-10-31 2023-10-31 SSL unified certificate unloading system and equipment Pending CN117411701A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311431309.1A CN117411701A (en) 2023-10-31 2023-10-31 SSL unified certificate unloading system and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311431309.1A CN117411701A (en) 2023-10-31 2023-10-31 SSL unified certificate unloading system and equipment

Publications (1)

Publication Number Publication Date
CN117411701A true CN117411701A (en) 2024-01-16

Family

ID=89494091

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311431309.1A Pending CN117411701A (en) 2023-10-31 2023-10-31 SSL unified certificate unloading system and equipment

Country Status (1)

Country Link
CN (1) CN117411701A (en)

Similar Documents

Publication Publication Date Title
US10855694B2 (en) Methods, systems, and computer readable media for monitoring encrypted packet flows within a virtual network environment
US10412067B2 (en) Filtering TLS connection requests using TLS extension and federated TLS tickets
US11805097B2 (en) Decrypting transport layer security traffic without Man-in-the-Middle proxy
US9237168B2 (en) Transport layer security traffic control using service name identification
US11303431B2 (en) Method and system for performing SSL handshake
US10630489B2 (en) Apparatus and method for managing digital certificates
US9485228B2 (en) Selectively performing man in the middle decryption
US7366900B2 (en) Platform-neutral system and method for providing secure remote operations over an insecure computer network
US7062781B2 (en) Method for providing simultaneous parallel secure command execution on multiple remote hosts
EP1730925B1 (en) Method and apparatus for providing transaction-level security
US10341118B2 (en) SSL gateway with integrated hardware security module
US7590844B1 (en) Decryption system and method for network analyzers and security programs
US11140140B2 (en) Virtual cryptographic module with load balancer and cryptographic module fleet
US10257171B2 (en) Server public key pinning by URL
WO2018010146A1 (en) Response method, apparatus and system in virtual network computing authentication, and proxy server
US8769128B2 (en) Method for extranet security
US20030069981A1 (en) IP hopping for secure data transfer
JP2012182812A (en) Symmetric key distribution framework for internet
US10389538B2 (en) Processing a security policy for certificate validation error
CN112217833B (en) Secure socket protocol unloading method and device, storage medium and electronic equipment
Nakatsuka et al. PDoT: private DNS-over-TLS with TEE support
CN117411701A (en) SSL unified certificate unloading system and equipment
CN114189370A (en) Access method and device
EP3511852B1 (en) Method for providing an enhanced level of authentication related to a secure software client application that is provided, by an application distribution entity, in order to be transmitted to a client computing device; system, software client application instance or client computing device, third party server entity, and program and computer program product
CN114244569B (en) SSL VPN remote access method, system and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination