US20190207979A1 - System and method of pre-establishing ssl session connections for faster ssl connection establishment - Google Patents
System and method of pre-establishing ssl session connections for faster ssl connection establishment Download PDFInfo
- Publication number
- US20190207979A1 US20190207979A1 US16/297,873 US201916297873A US2019207979A1 US 20190207979 A1 US20190207979 A1 US 20190207979A1 US 201916297873 A US201916297873 A US 201916297873A US 2019207979 A1 US2019207979 A1 US 2019207979A1
- Authority
- US
- United States
- Prior art keywords
- server
- session
- ssl
- appliance
- secure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/04—Protocols specially adapted for terminals or networks with limited capabilities; specially adapted for terminal portability
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
- H04L67/125—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/146—Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
-
- H04L67/2823—
-
- H04L67/2842—
-
- H04L67/42—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/565—Conversion or adaptation of application format or content
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
Definitions
- the secure session pre-handshake establishment module may be further configured to increase a frequency count of the matching server based on the determination that there is a matching server.
- SSL Secure Socket Layer
- the method comprises facilitating a secure session connection request between an appliance and a server associated with a website, with the secure session connection request including a name of the server associated with the website.
- the facilitation causes the appliance to receive session information.
- FIG. 6 is a flowchart representing an exemplary method of pre-establishing SSL session connections for faster SSL connection establishment, consistent with embodiments of the present disclosure.
- Public network 104 and private network 110 can be any type of network such as a wide area network (WAN), a local area network (LAN), or a metropolitan area network (MAN).
- WAN wide area network
- LAN local area network
- MAN metropolitan area network
- a WAN can be the Internet or the World Wide Web
- a LAN can be a corporate Intranet.
- Public network 104 and private network 110 can be a wired network or a wireless network.
- Appliances 108 and 108 ′ and gateway 106 can be deployed as or executed on any type and form of specific computing device (e.g., such as the computing device of FIGS. 2A-2B ) capable of communicating on any type and form of network described herein. Appliances 108 and 108 ′ can be deployed individually or as a pair operatively connected together.
- FIG. 4 is a block diagram of an exemplary protocol stack 400 of appliance 108 and/or 108 ′, consistent with embodiments of the present disclosure.
- appliance 108 and/or 108 ′ can be configured to have a security layer, e.g., SSL/TLS layer 430 .
- the SSL/TLS layer 430 can include SSL session exchange module 322 (depicted in FIG. 3 ) and a secure socket Application Programming Interface (API) (not shown).
- the security layer e.g., SSL/TLS layer 430 of FIG. 4 , can use underlying layers for reliable communications. Such underlying layers can be provided by, e.g., Transport Control Protocol (TCP) layer 420 and Internet Protocol (IP) layer 410 .
- TCP Transport Control Protocol
- IP Internet Protocol
- Network environment 500 can have a plurality of SSL/TLS connections at two or more stages between client device 102 and public server 150 .
- the public server 150 associated with the website can provide appliance 108 with information about sub-servers 160 A- 160 C. Then, using this information, appliance 108 can perform SSL/TLS full handshake procedures (e.g., 530 , 540 , and 550 ) with each of the sub-servers 160 A- 160 C. Appliance 108 can acquire session information such as session identifier and/or session ticket information via SSL/TLS full handshake procedures. Such session information can be used to reuse at least one session connection (e.g., 551 ) to the server associated with the website and/or each of the sub-servers 160 A- 160 C. Alternatively, appliance 108 can pre-establish at least one SSL session connection to the server associated with the website and/or each of the sub-servers 160 A- 160 C, which is described in the following FIG. 6 .
- SSL/TLS full handshake procedures e.g., 530 , 540 , and 550
- Appliance 108 can acquire session information such as session identifier and/or session ticket information
- appliance 108 When determining that session information corresponding to the plurality of secure session connection requests has not been cached, appliance 108 also accumulates one or more secure session connection requests for a predetermined time period at step 730 . For example, appliance 108 receives 10 secure connection requests from a client device for 0.5 seconds and determines that session information corresponding to 7 secure connection requests among 10 received secure connection requests has not been cached. Then, appliance 108 accumulates 7 secure connection requests to form a server group. Appliance 108 can configure a predetermined time period how long to accumulate one or more secure session connection requests.
- FIG. 8 a flowchart representing an exemplary method 800 of refining a server group, consistent with embodiments of the present disclosure. It will be readily appreciated that the illustrated procedure can be altered to delete steps or further include additional steps. While method 800 is described as being performed by appliance 108 , it is appreciated that other components can be added or omitted and the method 800 can be performed by other devices alone (e.g., appliance 108 ′) or in combination with appliance 108 .
- appliance 108 can determine a list of server names in multiple server groups by accumulating all new SSL connections made by a client device within a pre-configured time period (e.g., 0.5 second). Appliance 108 can form multiple server groups of server names that are formed based on the SSL connections formed by a particular client device to load a web page or a set of web pages. While forming the multiple server group, appliance 108 does not count the SSL connection whose session details have been already cached.
- a pre-configured time period e.g., 0.5 second
- Each of sub-server names comprises a plurality of server names 941 A- 941 C and corresponding frequency counts 942 A- 942 C to each of the plurality of server names 941 A- 941 C.
- Session-related parameter 950 A can comprise session information such as session identifier 951 A and session ticket 952 . If session information of session identifier 951 A can comprise session identifier, session ID length, chosen ciphersuite, chosen compression, start time, max fragment length, the master key and other related flags and details. If session information of session ticket 952 can comprise session ticket, session ticket length, and session ticket lifetime.
- Timeout 960 A indicates a valid time period that the server group ID 920 A becomes valid. After expiry of the timeout 960 A value, the server group ID 920 A becomes obsolete and/or is deleted from the data structure.
- Server Group ID 920 B has substantially similar server group parameter information compared with those of Server Group ID 920 A.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
- This application is a continuation of Ser. No. 15/010,692 filed Jan. 29, 2016, which is hereby incorporated herein in its entirety by reference.
- A middlebox is a network appliance that manipulates Internet traffic by optimizing data flow across the network. Middleboxes can be configured as wide area network (“WAN”) optimizers and can be deployed in pairs across two geographically separated locations to optimize data traffic between the two middleboxes. Middleboxes can be connected through a single link or multiple links such as a leased line link and a broadband link. Middleboxes, which may be called WAN optimizers, can work as a pair of devices with primary job of optimizing the network traffic, providing better user experience.
- For high availability networks, it is common to establish secure connections between two end point entities, for example between a client device and a web server. One or more middleboxes can be deployed between the two end point entities. Middleboxes can proxy one or more secure connections by monitoring secure connections on a first link between one end point entity and a middlebox and forming a new secure connection between the middlebox and the other end point entity based on the first link.
- In a typical Secure Socket Layer/Transport Layer Security (SSL/TLS) connection between a client and a server, a single web session to a server can create multiple SSL/TLS connections to a server. Also when a web page gets refreshed, multiple secure connections are created to a server. In the environment where multiple SSL/TLS connections to the server are proxied by a cluster of middleboxes, each of the connections can be proxied by a different middlebox from the cluster. Based on current technology, each of the middleboxes in the cluster would have to establish an SSL full handshake with the server to obtain certificates and to compute necessary keys for establishing a secure connection.
- The problem is that, more often than not, a single connection request to the server associated with a single website is ensued by a series of user requests to other related websites and lead to multiple SSL session connections to different servers with different fully qualified domain names To establish these connections, the middlebox has to establish an SSL full handshake with each of the server and other related servers to obtain a certificate and compute necessary security keys to establish a secure channel This task is, however, highly CPU intensive and might involve an additional Round Trip Time (RTT) and additional data to fetch the certificate chain.
- An appliance of pre-establishing Secure Socket Layer (SSL) session connections for SSL connection establishment is provided. The appliance includes a secure session pre-handshake establishment module configured to facilitate a secure session connection request between an appliance and a server associated with a website, with the secure session connection request including a name of the server associated with the website, and wherein the facilitation causes the appliance to receive session information.
- The secure session pre-handshake establishment module reuses at least one session to one or more servers listed in a server group if the session information corresponding to the secure session connection request has been cached. The secure session pre-handshake establishment module forms secure session connections between the appliance and servers listed in the server group if the session information corresponding to the secure session connection request has not been cached to pre-establish one or more SSL connections so that when one or more SSL connection requests are received. The one or more pre-established SSL connections can be used without performing full SSL handshake procedures.
- The secure session pre-handshake establishment module may be further configured to identify the server group based on information of the server associated with the website in the secure session connection request.
- The names of the servers listed in the server group may comprise a head server name and a plurality of sub-servers names. A head server represents at least one webpage and comprises a plurality of objects provided by the plurality of sub-servers to load completely the at least one webpage.
- The secure session pre-handshake establishment module may be further configured to determine whether there is a matching server among the head server name and the plurality of sub-servers names in the server group, with the matching server matching to the server associated with the website.
- The secure session pre-handshake establishment module may be further configured to increase a frequency count of the matching server based on the determination that there is a matching server.
- The session information may comprise at least one of session identifier and session ticket information. The session information is acquired based on a SSL/Transport Layer Security (TLS) full handshake protocol.
- The secure session pre-handshake establishment module may be further configured to accumulate the session connection request and subsequent session connection requests for a predetermined time period, based on the determination that session information corresponding to the session connection request and the subsequent session connection requests has not been cached. A determination is made whether there are one or more matching servers in the server group matching to the session connection request and the subsequent session connection requests. A frequency count of each of the one or more matching servers is updated based on the determination that there are the one or more matching servers.
- The secure session pre-handshake establishment module may be further configured to add or delete at least one server from the server group based on a number of the frequency count.
- The secure session pre-handshake establishment module may be further configured to accumulate SSL connections made by a client device for a predetermined time period, and determine a list of one or more server names belonging to the server group based on the accumulated SSL connections.
- Another aspect is directed to a method of pre-establishing Secure Socket Layer (SSL) session connections for SSL connection establishment. The method comprises facilitating a secure session connection request between an appliance and a server associated with a website, with the secure session connection request including a name of the server associated with the website. The facilitation causes the appliance to receive session information.
- At least one session to one or more servers listed in a server group is reused if the session information corresponding to the secure session connection request has been cached. Secure session connections are formed between the appliance and servers listed in the server group if the session information corresponding to the secure session connection request has not been cached to pre-establish one or more SSL connections so that when one or more SSL connection requests are received, the one or more pre-established SSL connections can be used without performing full SSL handshake procedures.
- Yet another aspect is directed to a non-transitory computer readable storage medium that stores a set of instructions that are executable by at least one processor of an appliance to cause the appliance to perform a method of pre-establishing Secure Socket Layer (SSL) session connections for SSL connection establishment. The method performed is as described above.
- Reference will now be made to the accompanying drawings showing example embodiments of this disclosure. In the drawings:
-
FIG. 1 is a block diagram of an exemplary network environment, consistent with embodiments of the present disclosure. -
FIGS. 2A-2B are block diagrams of an exemplary computing device, consistent with embodiments of the present disclosure. -
FIG. 3 is a block diagram of an exemplary appliance illustrated inFIG. 1 , consistent with embodiments of the present disclosure. -
FIG. 4 is a block diagram of an exemplary protocol stack of appliance, consistent with embodiments of the present disclosure. -
FIG. 5 is a block diagram of an exemplary network environment, consistent with embodiments of the present disclosure. -
FIG. 6 is a flowchart representing an exemplary method of pre-establishing SSL session connections for faster SSL connection establishment, consistent with embodiments of the present disclosure. -
FIG. 7 is a flowchart representing an exemplary method of forming a server group, consistent with embodiments of the present disclosure. -
FIG. 8 is a flowchart representing an exemplary method of refining a server group, consistent with embodiments of the present disclosure. -
FIG. 9 is an exemplary data structure providing a server group for a client device, consistent with embodiments of the present disclosure. - Reference will now be made in detail to the exemplary embodiments implemented according to the present description, the examples of which are illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts.
- The embodiments described herein provide improved efficiency of secure connections in a network. The efficient secure connections can be realized by proxying a secure connection between one middlebox device and a server, e.g., a web server, via SSL/TLS full handshake procedure, and using server group information containing a head server name and sub-servers names associated with the head server name and session information, frequency count information, etc. This can improve efficiency of SSL/TLS connections without necessarily performing SSL/TLS full handshake procedures whenever receiving a new session connection request to the same server. Moreover, the embodiments described herein can be less CPU intensive and can use less Round Trip Time (RTT) and less data to fetch the certificate chain in computing session keys.
-
FIG. 1 is a block diagram of anexemplary network environment 100. Whileexemplary network environment 100 is directed to a virtual network environment, it is appreciated that the network environment can be any type of network that communicates using packets.Network environment 100 can include one or more client devices 102,public network 104,gateway 106, anappliance 108, aprivate network 110, adata center 120, abranch office 140, and apublic server 150. - One or more client devices 102 are devices that can acquire remote services from
data center 120 through various means. Client devices 102 can communicate withdata center 120 either directly (e.g., client device 102F) or indirectly through public network 104 (e.g.,client devices 102A-D) or private network 110 (e.g.,client device 102E). When client device 102 communicates throughpublic network 104 orprivate network 110, a communication link can be established. For example, a link can be established bypublic network 104,gateway 106, andappliance 108, thereby providing a client device (e.g. client devices 102A-D) access todata center 120. A link can also be established bybranch office 140 includingappliance 108′,private network 110, andappliance 108, thereby providing a client device (e.g. client device 102E) access todata center 120. While client devices 102 are portrayed as a computer (e.g.,client devices client device 102B), a tablet (e.g.,client device 102C), and a mobile smart phone (e.g.,client device 102D), it is appreciated that client device 102 could be any type of device (e.g., wearable or smart watch) that communicates packets to and fromdata center 120. -
Public network 104 andprivate network 110 can be any type of network such as a wide area network (WAN), a local area network (LAN), or a metropolitan area network (MAN). As an example, a WAN can be the Internet or the World Wide Web, and a LAN can be a corporate Intranet.Public network 104 andprivate network 110 can be a wired network or a wireless network. -
Gateway 106 is a physical device or is software that is part of a physical device that interfaces between two networks having different protocols.Gateway 106, for example, can be a server, a router, a host, or a proxy server. In some embodiments,gateway 106 can include or be coupled to afirewall separating gateway 106 from public network 104 (e.g., Internet). Gateway has the ability to modify signals received from client device 102 into signals thatappliance 108 and/ordata center 120 can understand and vice versa. -
Appliance 108 is a device that optimizes wide area network (WAN) traffic by including, for example, a quality of service (“QoS”) engine. In some embodiments,appliance 108 optimizes other types of network traffic, such as local area network (LAN) traffic, metropolitan area network (MAN) traffic, or wireless network traffic.Appliance 108 can optimize network traffic by, for example, scheduling data packets in an established communication link so that the data packets can be transmitted or dropped at a scheduled time and rate. In some embodiments,appliance 108 is a physical device, such as Citrix System's ByteMobile™, Netscaler™, or CloudBridge™. In some embodiments,appliance 108 can be a virtual appliance. In some embodiments, appliance can be a physical device having multiple instances of virtual machines (e.g., virtual Branch Repeater). A first appliance (e.g., appliance 108) can work in conjunction with or in cooperation with a second appliance (e.g.,appliance 108′) to optimize network traffic. For example, the first appliance can be located between the WAN and a corporate LAN (e.g., data center 120), while the second appliance can be located between branch office (e.g., branch office 140) and a WAN connection. In some embodiments, the functionality ofgateway 106 andappliance 108 can be located in a single physical device. Moreover, in some embodiments,appliance 108 andgateway 106 can be part of the same device.Appliances Appliance 108 is further described below corresponding toFIG. 3 . -
Data center 120 is a central repository, either physical or virtual, for the storage, management, and dissemination of data and information pertaining to a particular public or private entity.Data center 120 can be used to house computer systems and associated components, such as one or more physical servers, virtual servers, and storage systems.Data center 120 can include, among other things, one or more servers (e.g., enterprise server 122) and abackend system 130. In someembodiments data center 120 can includegateway 106, one ormore appliances 108, or a combination of both. -
Enterprise server 122 is an entity represented by an IP address and can exist as a single entity or a member of a server farm.Enterprise server 122 can be a physical server or a virtual server. In some embodiments,enterprise server 122 can include a hardware layer, an operating system, and a hypervisor creating or managing one or more virtual machines.Enterprise server 122 provides one or more services to an endpoint. These services include providing one ormore applications 128 to one or more endpoints (e.g.,client devices 102A-F or branch office 140). For example,applications 128 can include Microsoft Windows™-based applications and computing resources. -
Desktop delivery controller 124 is a device that enables delivery of services, such asvirtual desktops 126 toclient devices 102A-F orbranch office 140.Desktop delivery controller 124 provides functionality required to manage, maintain, and optimize all virtual desktop communications. - In some embodiments, the services include providing one or more
virtual desktops 126 that can provide one ormore applications 128.Virtual desktops 126 can include hosted shared desktops, allowing multiple users to access a single shared Remote Desktop Services desktop, virtual desktop infrastructure desktops allowing each user to have their own virtual machine, streaming disk images, a local virtual machine, individual applications (e.g., one or more applications 128), or a combination thereof. -
Backend system 130 is a single or multiple instances of computer networking hardware, appliances, or servers in a server farm or a bank of servers and interfaces directly or indirectly withenterprise server 122. For example,backend system 130 can include Microsoft Active Directory™, which can provide a number of network services, including lightweight directory access protocol (LDAP) directory services, Kerberos-based authentication, domain name system (DNS)-based naming and other network information, and synchronization of directory updates amongst several servers.Backend system 130 can also include, among other things, an Oracle™ backend server, a SQL Server backend, and/or a dynamic host configuration protocol (DHCP).Backend system 130 can provide data, services, or a combination of both todata center 120, which can then provide that information via varying forms to client devices 102 orbranch office 140. -
Branch office 140 is part of a local area network (LAN) that is part of the Wireless LAN (WLAN) havingdata center 120.Branch office 140 can include, among other things,appliance 108′ andremote backend 142. In some embodiments,appliance 108′ can sit betweenbranch office 140 andprivate network 110. As stated above,appliance 108′ can work withappliance 108.Remote backend 142 can be set up in similar manner asbackend system 130 ofdata center 120.Client device 102E can be located on-site to branchoffice 140 or can be located remotely frombranch office 140. -
Public server 150 is an entity represented by an IP address.Public server 150 can be a physical server or a virtual server. In some embodiments,public server 150 can include a hardware layer, an operating system, and a security agent issuing security-related parameters such as public keys, cipher certificates, session identifiers and session tickets, and managing one or more secure connections.Public server 150 can be accessed directly or indirectly byclient devices 102A-F. Public server 150 provides one or more services to an endpoint. These services include one or more applications, such as web-browser applications, to one or more endpoints (e.g.,client devices 102A-F,data center 120, or branch office 140).Public server 150 can provide secure connections using Internet security protocols, e.g., SSL/TLS protocols, for secure services to one or more endpoints (e.g.,client devices 102A-F,data center 120, or branch office 140). The present application describes improved efficiency of SSL/TLS connections by proxying connections between a middlebox and another middlebox orpublic server 150. However, it is appreciated that the disclosed method can be applicable on any kind between two apparatuses to improve efficiency of SSL/TLS connections. -
Appliances gateway 106 can be deployed as or executed on any type and form of specific computing device (e.g., such as the computing device ofFIGS. 2A-2B ) capable of communicating on any type and form of network described herein.Appliances - As shown in
FIGS. 2A-2B , eachcomputing device 200 includes a central processing unit (CPU) 221 and amain memory 222.CPU 221 can be any logic circuitry that responds to and processes instructions fetched from themain memory 222.CPU 221 can be a single or multiple microprocessors, field-programmable gate arrays (FPGAs), or digital signal processors (DSPs) capable of executing particular sets of instructions stored in a memory (e.g., main memory 222) or cache (e.g., cache 240). The memory includes a tangible and/or non-transitory computer-readable medium, such as a flexible disk, a hard disk, a CD-ROM (compact disk read-only memory), MO (magneto-optical) drive, a DVD-ROM (digital versatile disk read-only memory), a DVD-RAM (digital versatile disk random-access memory), flash drive, flash memory, registers, caches, or a semiconductor memory.Main memory 222 can be one or more memory chips capable of storing data and allowing any storage location to be directly accessed byCPU 221.Main memory 222 can be any type of random access memory (RAM), or any other available memory chip capable of operating as described herein. In the exemplary embodiment shown inFIG. 2A ,CPU 221 communicates withmain memory 222 via asystem bus 250.Computing device 200 can also include avisual display device 224 and an input/output (I/O) device 230 (e.g., a keyboard, mouse, or pointing device) connected through I/O controller 223, both of which communicate viasystem bus 250. One of ordinary skill in the art would appreciate thatCPU 221 can also communicate withmain memory 222 and other devices in manners other than throughsystem bus 250, such as through serial communication manners or point-to-point communication manners. Furthermore, I/O device 230 can also provide storage and/or an installation medium for thecomputing device 200. -
FIG. 2B depicts an embodiment of anexemplary computing device 200 in whichCPU 221 communicates directly withmain memory 222 via amemory port 203.CPU 221 can communicate with a cache 240 via a secondary bus (not shown), sometimes referred to as a backside bus. In some other embodiments,CPU 221 can communicate with cache 240 viasystem bus 250. Cache 240 typically has a faster response time thanmain memory 222. In some embodiments, such as the embodiment shown inFIG. 2B ,CPU 221 can communicate directly with I/O device 230 via an I/O port (not shown). In further embodiments, I/O device 230 can be abridge 270 betweensystem bus 250 and an external communication bus, such as a USB bus, an Apple Desktop Bus, an RS-232 serial connection, a SCSI bus, a FireWire™ bus, aFireWire 800™ bus, an Ethernet bus, an AppleTalk™ bus, a Gigabit Ethernet bus, an Asynchronous Transfer Mode bus, a HIPPI bus, a Super HIPPI bus, a SerialPlus bus, a SCI/LAMP bus, a FibreChannel™ bus, or a Serial Attached small computer system interface bus, or some other type of data bus. - As shown in
FIG. 2A ,computing device 200 can support anysuitable installation device 216, such as a disk drive or other input port for receiving one or more computer-readable media such as, for example, a USB device, flash drive, SD memory card; a hard-drive; or any other device suitable for installing software and programs such as anyclient agent 220, or portion thereof.Computing device 200 can further comprise astorage device 228, such as one or more hard disk drives or redundant arrays of independent disks, for storing an operating system and other related software, and for storing application software programs such as any program related toclient agent 220. Optionally, any of theinstallation devices 216 could also be used asstorage device 228. - Furthermore,
computing device 200 can include anetwork interface 218 to interface to a LAN, WAN, MAN, or the Internet through a variety of links including, but not limited to, standard telephone lines, LAN or WAN links (e.g., 802.11, T1, T3, 56 kb, X.25), broadband links (e.g., ISDN, Frame Relay, ATM), wireless connections (Wi-Fi, Bluetooth, Z-Wave, Zigbee), or some combination of any or all of the above.Network interface 218 can comprise a built-in network adapter, network interface card, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modem or any other device suitable for interfacingcomputing device 200 to any type of network capable of communication and performing the operations described herein. -
FIG. 3 is a block diagram of anexemplary appliance 108 and/or 108′ illustrated inFIG. 1 , consistent with embodiments of the present disclosure.Appliance 108 can include an SSLsession exchange module 322, an SSLpre-handshake establishment module 342, and one ormore network interfaces 218A-N consistent withnetwork interface 218 ofFIG. 2A . AlthoughFIG. 3 depicts network interfaces 218A-218N as two network interfaces, it is appreciated that interfaces 218A-218N can include any number of network interfaces. - SSL
session exchange module 322 is a module, which is a packaged functional hardware unit designed for use with other components or a part of a program that performs a particular function of related functions. In some aspects, SSLsession exchange module 322 can operate on two or more devices, for example, inbranch office 140 or atdata center 120, andpublic server 150, functionally connected to provide more efficient SSL/TLS connections. Each device having SSLsession exchange module 322 can be configured to perform SSL full handshake procedure to make a secure session connection between client devices 102 andappliance appliance public server 150. - SSL
pre-handshake establishment module 342 is a module for providing more efficient pre-establishment of SSL/TLS session connections for faster SSL connections. In some aspects, SSLpre-handshake establishment module 342 can operate on two or more devices, for example, inbranch office 140 or atdata center 120, andpublic server 150, functionally connected to provide this functionality. Each device having SSLpre-handshake establishment module 342 can be configured to facilitate a secure session connection between a client device and a server associated with a website, wherein the facilitation causes the appliance to receive session information, determine whether session information corresponding to the secure session connection request has been cached, determine whether the server is associated with a server group based on the determination that session information has not been cached, and form secure session connections between the client device and servers listed in the server group based on the determination that the server is associated with a server group. SSLpre-handshake establishment module 342 can be configured to identify a server group based on information of the server associated with the website in the secure session connection request. The secure session connection request can include a name of the server associated with the website in a server name indicator (SNI) field of a data packet (e.g., Client Hello packet). The name of the server in a server name indicator field can be matched to a head server name, as shown inFIG. 9 . The servers listed in the server group comprise a head server name and a plurality of sub-servers names, a head server representing at least one webpage and comprising a plurality of objects provided by the plurality of sub-servers to load completely the at least one webpage. SSLpre-handshake establishment module 342 can also be configured to determine whether there is a matching server among the head server name and the plurality of sub-servers names in the server group, the matching server matching to the server associated with the website. SSLpre-handshake establishment module 342 can also be configured to increase a frequency count of the matching server based on the determination that there is a matching server. SSLpre-handshake establishment module 342 can also be configured to reuse at least one session to one or more servers listed in the server group, for example, by forming a shorten SSL/TLS handshake in accordance with Internet Engineering Task Force (IETF) Request For Comments (RFC) 5077, based on the determination that session information corresponding to the secure session connection request has been cached. The session information comprises at least one of session identifier and session ticket information that can be acquired based on a SSL/Transport Layer Security (TLS) full handshake protocol. SSLpre-handshake establishment module 342 can further be configured to accumulate the session connection request and subsequent session connection requests for a predetermined time period, based on the determination that session information corresponding to the session connection request and the subsequent session connection requests has not been cached, determine whether there are one or more matching servers in the server group matching to the session connection request and the subsequent session connection requests, update a frequency count of each of the one or more matching servers based on the determination that there are the one or more matching servers, and add or delete at least one server from the server group based on a number of the frequency count. -
FIG. 4 is a block diagram of anexemplary protocol stack 400 ofappliance 108 and/or 108′, consistent with embodiments of the present disclosure. According to some embodiments,appliance 108 and/or 108′ can be configured to have a security layer, e.g., SSL/TLS layer 430. The SSL/TLS layer 430 can include SSL session exchange module 322 (depicted inFIG. 3 ) and a secure socket Application Programming Interface (API) (not shown). The security layer, e.g., SSL/TLS layer 430 ofFIG. 4 , can use underlying layers for reliable communications. Such underlying layers can be provided by, e.g., Transport Control Protocol (TCP)layer 420 and Internet Protocol (IP)layer 410. Applications, such as web service applications, can use the secure socket API to encrypt communication with any remote application that communicates according to SSL/TLS protocol. Any standard Internet web browser onpublic server 150 can be accessed by secure web server applications using application protocols such as HyperText Transfer Protocol (HTTP) 440, File Transfer Protocol (FTP) 450, Simple Mail Transfer Protocol (SMTP) 460, etc. on top of SSL/TLS 430. - In some embodiments, SSL/
TLS layer 430 can include arecord protocol layer 431, ahandshake protocol layer 432, cipherchange protocol layer 433, andalert protocol layer 434, as referenced in IETF RFC 6101. Therecord protocol layer 431 can receive uninterpreted data from higher layers, e.g., application layer. Therecord protocol layer 431 is responsible for fragmenting uninterpreted data with fixed length and encrypting packets that were broken down with fixed-length compressing the data. Therecord protocol layer 431 is also responsible for adding SSL header in the packets. - The
handshake protocol layer 432 that operates on top of therecord protocol layer 431 can produce cryptographic parameters of session state. As an example, primary SSL session exchange module 322A that operates in application 108A can act as an SSL client, andpublic server 150 can act as an SSL server. When an SSL client and an SSL server first start communicating, the SSL client and the SSL server agree on a protocol version, select cryptographic algorithms, optionally authenticate each other, and use public key encryption techniques to generate shared secrets. These processes are performed in the handshake protocol, which can be summarized as follows: the SSL client sends a client hello message to which the SSL server must respond with a server hello message, or else a fatal error will occur and the connection will fail. The SSL client hello and SSL server hello are used to establish security enhancement capabilities between the SSL client and the SSL server. The client hello and server hello establish the following attributes: Protocol Version, Session ID, Cipher Suite, and Compression Method. Additionally, two random values are generated and exchanged: ClientHello.random and ServerHello.random. - The cipher
change protocol layer 433 is to signal transitions in ciphering strategies between the SSL client and the SSL server. In other words, sending (from the SSL client to the SSL server or vice versa) a message to notify that subsequent records are to be protected under just-negotiated CipherSpec and keys. - The
alert protocol layer 434 supports alert messages to convey severity of a message and a description of an alert. An alert can include, for example, closure alerts and error alerts. Closure alerts are used to notify that a connection is ending in order to avoid a truncation attack. Error alerts are used to send an error message in the event of error detections. Upon transmission or receipt of a fatal alert message, both the SSL client and the SSL server immediately close a connection. -
FIG. 5 is a block diagram of anexemplary network environment 500, consistent with embodiments of the present disclosure. It is appreciated thatnetwork environment 500 is a simplified illustration and that other components can be added innetwork environment 500 whenever necessary. Also,network environment 500 can be any type of network that communicates using packets. Thenetwork environment 500 can include a plurality of client devices 102 (e.g., 102B and 102E depicted inFIG. 5 ),appliance 108′ coupled tobranch office 140,appliance 108 that may be located in or out ofdata center 120, and a plurality ofpublic servers 150 depicted inFIG. 1 and sub-servers 160A-160C depicted inFIG. 5 ). Although asingle appliance 108′ is shown inbranch office 140 inFIG. 5 , it is appreciated that one ormore appliances 108′ can be located in a plurality ofbranch offices 140. Likewise, although asingle appliance 108 is shown indata center 120 inFIG. 5 , it is appreciated that one ormore appliances 108 can be associated withdata center 120. -
Network environment 500 can have a plurality of SSL/TLS connections at two or more stages between client device 102 andpublic server 150. As an example, there can be, at a first stage, asingle session 560 comprising three SSL/TLS connections 502A-502C between client devices 102 (e.g., 102B) andappliance 108, the SSL/TLS connections between which refers toSSL1 510. In some embodiments,SSL1 510 can also have anothersingle session 570 comprising three SSL/TLS connections 501A-501C between client device 102 (e.g., 102E) andappliance 108′ inbranch office 140, and three other SSL/TLS connections 503A-503C betweenappliance 108′ inbranch office 140 andappliance 108. - One or more client devices 102 can directly connect to
appliance 108, or indirectly connect toappliance 108 viaappliance 108′ inbranch office 140. For example,client device 102B is directly connected toappliance 108, andclient device 102E is indirectly connected toappliances 108 viaappliance 108′ inbranch office 140. - At a second stage, there can be other SSL/TLS connections (e.g., 530, 531, 540, 541, 550 and 551) between
appliance 108 and one or morepublic servers 150 depicted inFIG. 1 and sub-servers 160A-160C depicted inFIG. 5 , those SSL/TLS connections between which refer toSSL2 520. - The embodiments described herein address the
SSL2 520 connections at the second stage for assisting with establishing a faster SSL connection by pre-establishing SSL session connections with one or more servers to load at least one complete webpage whose objects are embedded on the one or more servers. In exemplary embodiments, after receiving from a client device an SSL session connection request to apublic server 150 associated with a website,appliance 108 can perform SSL/TLS full handshake procedures with thepublic server 150 associated with the website. The website can comprise a plurality of webpage objects to form at least one complete webpage. Some webpage objects can be embedded on one or more other servers. In the present disclosure, the one or more other servers are hereafter called sub-servers 160A-160C. Thepublic server 150 associated with the website can provideappliance 108 with information about sub-servers 160A-160C. Then, using this information,appliance 108 can perform SSL/TLS full handshake procedures (e.g., 530, 540, and 550) with each of the sub-servers 160A-160C.Appliance 108 can acquire session information such as session identifier and/or session ticket information via SSL/TLS full handshake procedures. Such session information can be used to reuse at least one session connection (e.g., 551) to the server associated with the website and/or each of the sub-servers 160A-160C. Alternatively,appliance 108 can pre-establish at least one SSL session connection to the server associated with the website and/or each of the sub-servers 160A-160C, which is described in the followingFIG. 6 . -
FIG. 6 is a flowchart representing anexemplary method 600 of pre-establishing SSL session connections for faster SSL connection establishment, consistent with embodiments of the present disclosure. It will be readily appreciated that the illustrated procedure can be altered to delete steps or further include additional steps. Whilemethod 600 is described as being performed byappliance 108, it is appreciated that other components can be added or omitted and themethod 600 can be performed by other devices alone (e.g.,appliance 108′) or in combination withappliance 108. - As an initial start,
appliance 108 receives from a client device 102 (either directly or via an appliance at a branch office (e.g.,appliance 108′)) a secure session connection request to a server associated with a website atstep 610. The secure session connection request can be an SSL session connection request.Appliance 108 also facilitates the secure session connection request between client device 102 and a server associated with a website, wherein the facilitation causes the appliance to receive session information at thisstep 610. - In exemplary embodiments, upon receipt of the secure session connection request from client device 102,
appliance 108 can further forward the secure session connection request to the server associated with the website. Based on that request, appliance can 108 can receive from the server a list of sub-servers identifiers associated with the server, each sub-server having one or more objects required to form a webpage of the website.Appliance 108 can also receive, from the server, session information of each of the sub-servers. - In some embodiments, upon receipt of the secure session connection request from client device 102,
appliance 108 can further access one or more data structures storing a server group having a server name, a plurality of sub-servers names associated with the server name, and session information of the server and each of sub-servers associated with the server. The server group can include other information which is used to facilitate a secure session connection request between client device and a server associated with a website. -
Appliance 108 also determines whether session information corresponding to the secure session connection request has been cached atstep 620. Session information can be obtained via SSL/TLS full handshake procedure. SSL/TLS full handshake procedure includes procedure disclosed in IETF RFC 6101. Session information can include session identifier or session ticket information. A session identifier is an arbitrary byte sequence chosen by a server to identify an active or resumable session state. Obtaining one or more session identifiers via SSL/TLS full handshake procedure is disclosed in IETF RFC 5246. A session ticket containing encrypted session state information is created by a TLS server (e.g., public server 150) and sent to a TLS client (e.g., appliance 108). TLS client can present the session ticket to the TLS server to resume a session. Obtaining one or more session tickets via SSL/TLS full handshake procedure is disclosed in IETF RFC 5077. - When session information corresponding to the secure session connection request has been cached, it means that the server can be associated with a server group at this
step 620 or has been already associated with a server group before thestep 620. Data structure providing a server group can be maintained per a client device 102 and is described inFIG. 9 in detail. When determining that the session information corresponding to the secure session connection request has been cached,appliance 108 reuses at least one session to one or more servers listed in the server group atstep 630. - When determining that the session information corresponding to the secure session connection request has not been cached,
appliance 108 determines whether the server is associated with a server group atstep 640. When determining that the server is associated with a server group,appliance 108 further forms secure session connections between the appliance and servers listed in the server group atstep 650. This formation assists with pre-establishing one or more SSL connections. Thus, whenever receiving one or more SSL connection requests in the future the one or more pre-established SSL connections can be used without necessarily performing full SSL handshake procedures, which in turn saves one RTT and computational intensive task for new secure session connections and enhances user experience. -
FIG. 7 is a flowchart representing anexemplary method 700 of forming a server group, consistent with embodiments of the present disclosure. It will be readily appreciated that the illustrated procedure can be altered to delete steps or further include additional steps. Whilemethod 700 is described as being performed by anappliance 108, it is appreciated that other components can be added or omitted and themethod 700 can be performed by other devices alone (e.g.,appliance 108′) or in combination withappliance 108. - At
step 710,Appliance 108 facilitates a secure session connection request between client device 102 and a server associated with a website, wherein the facilitation causes the appliance to receive session information atstep 710. The secure session connection request can be an SSL session connection request. - In some embodiments, upon receipt of the secure session connection request from client device 102,
appliance 108 can further access one or more data structures storing a server group having a server name, a plurality of sub-servers names associated with the server name, and session information of the server and each of sub-servers associated with the server. The server group can include other information which is used to facilitate a secure session connection request between client device and a server associated with a website. -
Appliance 108 also determines whether session information corresponding to the plurality of secure session connection requests has been cached atstep 720. As described above, session information can include session identifier or session ticket information which can be obtained via SSL/TLS full handshake procedure based on IETF RFC 5246 or IETF RFC 5077, respectively. - When determining that session information corresponding to the plurality of secure session connection requests has not been cached,
appliance 108 also accumulates one or more secure session connection requests for a predetermined time period atstep 730. For example,appliance 108 receives 10 secure connection requests from a client device for 0.5 seconds and determines that session information corresponding to 7 secure connection requests among 10 received secure connection requests has not been cached. Then,appliance 108 accumulates 7 secure connection requests to form a server group.Appliance 108 can configure a predetermined time period how long to accumulate one or more secure session connection requests. - At
step 740,appliance 108 further forms a server group based on the one or more accumulated secure session connection requests whose session information has not been cached.Appliance 108 forms a server group including, for example as shown inFIG. 9 , a head server name 1030A, frequency count of the head server name 1031A, list of sub-server names 1040A, frequency count of each of the sub-server names 1042A-1042C, session-related parameter 1050A, and timeout 1060A.Appliance 108 can perform full SSL handshake procedures to acquire session information of the head server and the sub-server listed in the server group.Appliance 108 can terminate pre-established connections at expiry of timeout 1060A.Appliance 108 can also store the server group information in a memory locally in theappliance 108 or externally connected to a network database. - Referring now to
FIG. 8 , a flowchart representing anexemplary method 800 of refining a server group, consistent with embodiments of the present disclosure. It will be readily appreciated that the illustrated procedure can be altered to delete steps or further include additional steps. Whilemethod 800 is described as being performed byappliance 108, it is appreciated that other components can be added or omitted and themethod 800 can be performed by other devices alone (e.g.,appliance 108′) or in combination withappliance 108. - At
step 810,appliance 108 receives from a client device 102 a secure session connection request to a server associated with a website atstep 810.Appliance 108 identifies a server group based on information of the server associated with the website in the secure connection request atstep 820. For example,appliance 108 can search a server group to see if there is a server name in the server group which matches to a server name associated with a website in the secure session connection request. When finding the same server name in the server group,appliance 108 can identify the server group affiliated with the server associated with the website in the secure connection request. -
Appliance 108 accumulates one or more secure session connection requests for a predetermined time period whose session information has not been cached atstep 830. For example,appliance 108 receives 10 secure connection requests from a client device for 0.5 seconds and determines that session information corresponding to 7 secure connection requests among 10 received secure connection requests has not been cached. Then,appliance 108 accumulates 7 secure connection requests to use refining a server group.Appliance 108 can configure a predetermined time period how long to accumulate one or more secure session connection requests. - At
step 840,appliance 108 determines whether there are one or more matching servers in a server group matching to any of the one or more accumulated secure session connection requests. When determining that there are one or more matching servers in the server group,appliance 108 updates a frequency count of each of the one or more matching servers in the server group atstep 850. In exemplary embodiments, when determining that a server name in secure session connection requests matches to a server name in a server group three times and assuming that a current frequency count value be 2,appliance 108 updates frequency count of the server to 5. -
Appliance 108 further adds or deletes at least one server from the server group based on a number of the frequency count. In exemplary embodiment, there can be a preconfigured frequency count threshold in the server group. The updated number of the frequency count of each of the one or more matching servers in the server can be compared with the preconfigured frequency count threshold. As an example,appliance 108 can determine to add a server into a server group when the server's frequency count is equal to or higher than the preconfigured frequency count threshold.Appliance 108 can also add a server into a server group when an SSL session connection to the server is established within a preconfigured time period, e.g., 0.5 second, given that SSL session information of the SSL session connection to the server has not been cached.Appliance 108 can also determine to delete a server from a server group when the server's frequency count is less than the preconfigured frequency count threshold. - When the client device sends a secure session connection request to each of the sub-servers,
appliance 108 can determine a list of server names in multiple server groups by accumulating all new SSL connections made by a client device within a pre-configured time period (e.g., 0.5 second).Appliance 108 can form multiple server groups of server names that are formed based on the SSL connections formed by a particular client device to load a web page or a set of web pages. While forming the multiple server group,appliance 108 does not count the SSL connection whose session details have been already cached. -
FIG. 9 is an exemplary data structure providing a server group for a client device. Server group for aclient device 910 comprises a plurality of server group identifiers (IDs), e.g., 920A and 920B. Each of the plurality of server group IDs, e.g., 920A and 920B comprises a head server name 930A, frequency count of thehead server name 931A, list ofsub-server names 940A, frequency count of each of thesub-server names 942A-942C, session-relatedparameter 950A, andtimeout 960A. Each of sub-server names comprises a plurality ofserver names 941A-941C and corresponding frequency counts 942A-942C to each of the plurality ofserver names 941A-941C. Session-relatedparameter 950A can comprise session information such assession identifier 951A andsession ticket 952. If session information ofsession identifier 951A can comprise session identifier, session ID length, chosen ciphersuite, chosen compression, start time, max fragment length, the master key and other related flags and details. If session information ofsession ticket 952 can comprise session ticket, session ticket length, and session ticket lifetime.Timeout 960A indicates a valid time period that theserver group ID 920A becomes valid. After expiry of thetimeout 960A value, theserver group ID 920A becomes obsolete and/or is deleted from the data structure.Server Group ID 920B has substantially similar server group parameter information compared with those ofServer Group ID 920A. - In the foregoing specification, embodiments have been described with reference to numerous specific details that can vary from implementation to implementation. Certain adaptations and modifications of the described embodiments can be made. Other embodiments can be apparent to those skilled in the art from consideration of the specification and practice of the embodiments disclosed herein. It is intended that the specification and examples be considered as exemplary only. It is also intended that the sequence of steps shown in figures are only for illustrative purposes and are not intended to be limited to any particular sequence of steps. As such, those skilled in the art can appreciate that these steps can be performed in a different order while implementing the same method.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/297,873 US20190207979A1 (en) | 2016-01-29 | 2019-03-11 | System and method of pre-establishing ssl session connections for faster ssl connection establishment |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/010,692 US10250637B2 (en) | 2016-01-29 | 2016-01-29 | System and method of pre-establishing SSL session connections for faster SSL connection establishment |
US16/297,873 US20190207979A1 (en) | 2016-01-29 | 2019-03-11 | System and method of pre-establishing ssl session connections for faster ssl connection establishment |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/010,692 Continuation US10250637B2 (en) | 2016-01-29 | 2016-01-29 | System and method of pre-establishing SSL session connections for faster SSL connection establishment |
Publications (1)
Publication Number | Publication Date |
---|---|
US20190207979A1 true US20190207979A1 (en) | 2019-07-04 |
Family
ID=59387327
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/010,692 Active 2036-07-15 US10250637B2 (en) | 2016-01-29 | 2016-01-29 | System and method of pre-establishing SSL session connections for faster SSL connection establishment |
US16/297,873 Abandoned US20190207979A1 (en) | 2016-01-29 | 2019-03-11 | System and method of pre-establishing ssl session connections for faster ssl connection establishment |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/010,692 Active 2036-07-15 US10250637B2 (en) | 2016-01-29 | 2016-01-29 | System and method of pre-establishing SSL session connections for faster SSL connection establishment |
Country Status (1)
Country | Link |
---|---|
US (2) | US10250637B2 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11119216B1 (en) * | 2017-11-02 | 2021-09-14 | AI Incorporated | Efficient coverage planning of mobile robotic devices |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10958666B1 (en) * | 2017-03-24 | 2021-03-23 | NortonLifeLock Inc. | Systems and methods for verifying connection integrity |
GB201710168D0 (en) * | 2017-06-26 | 2017-08-09 | Microsoft Technology Licensing Llc | Introducing middleboxes into secure communications between a client and a sever |
CN107797859B (en) * | 2017-11-16 | 2021-08-20 | 山东浪潮云服务信息科技有限公司 | Scheduling method of timing task and scheduling server |
US11159367B2 (en) | 2018-05-15 | 2021-10-26 | Nutanix, Inc. | Apparatuses and methods for zero touch computing node initialization |
WO2020001652A1 (en) * | 2018-06-29 | 2020-01-02 | Yunding Network Technology (Beijing) Co., Ltd. | Systems and methods for informarion management |
US10979289B2 (en) * | 2019-08-12 | 2021-04-13 | Nutanix, Inc. | Apparatuses and methods for remote computing node registration and authentication |
US11070514B2 (en) * | 2019-09-11 | 2021-07-20 | Verizon Patent And Licensing Inc. | System and method for domain name system (DNS) service selection |
US11212168B2 (en) | 2019-11-20 | 2021-12-28 | Nutanix, Inc. | Apparatuses and methods for remote computing node initialization using a configuration template and resource pools |
US11677630B2 (en) * | 2021-04-30 | 2023-06-13 | Cisco Technology, Inc. | Secure device management |
US11778037B2 (en) * | 2021-09-08 | 2023-10-03 | International Business Machines Corporation | Concurrent TLS data streams using a single handshake |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110231652A1 (en) * | 2010-03-19 | 2011-09-22 | F5 Networks, Inc. | Proxy ssl authentication in split ssl for client-side proxy agent resources with content insertion |
US8145768B1 (en) * | 2008-02-26 | 2012-03-27 | F5 Networks, Inc. | Tuning of SSL session caches based on SSL session IDS |
US8327128B1 (en) * | 2011-07-28 | 2012-12-04 | Cloudflare, Inc. | Supporting secure sessions in a cloud-based proxy service |
US20150288514A1 (en) * | 2014-04-08 | 2015-10-08 | Cloudflare, Inc. | Secure session capability using public-key cryptography without access to the private key |
US20170195427A1 (en) * | 2015-12-31 | 2017-07-06 | Hughes Network Systems, Llc | Method and system for automatically bypassing network proxies in the presence of interdependent traffic flows |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8255291B1 (en) * | 2000-08-18 | 2012-08-28 | Tensilrus Capital Nv Llc | System, method and apparatus for interactive and comparative shopping |
US9854000B2 (en) * | 2014-11-06 | 2017-12-26 | Cisco Technology, Inc. | Method and apparatus for detecting malicious software using handshake information |
-
2016
- 2016-01-29 US US15/010,692 patent/US10250637B2/en active Active
-
2019
- 2019-03-11 US US16/297,873 patent/US20190207979A1/en not_active Abandoned
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8145768B1 (en) * | 2008-02-26 | 2012-03-27 | F5 Networks, Inc. | Tuning of SSL session caches based on SSL session IDS |
US20110231652A1 (en) * | 2010-03-19 | 2011-09-22 | F5 Networks, Inc. | Proxy ssl authentication in split ssl for client-side proxy agent resources with content insertion |
US8327128B1 (en) * | 2011-07-28 | 2012-12-04 | Cloudflare, Inc. | Supporting secure sessions in a cloud-based proxy service |
US20150288514A1 (en) * | 2014-04-08 | 2015-10-08 | Cloudflare, Inc. | Secure session capability using public-key cryptography without access to the private key |
US20170195427A1 (en) * | 2015-12-31 | 2017-07-06 | Hughes Network Systems, Llc | Method and system for automatically bypassing network proxies in the presence of interdependent traffic flows |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11119216B1 (en) * | 2017-11-02 | 2021-09-14 | AI Incorporated | Efficient coverage planning of mobile robotic devices |
US11947015B1 (en) | 2017-11-02 | 2024-04-02 | AI Incorporated | Efficient coverage planning of mobile robotic devices |
Also Published As
Publication number | Publication date |
---|---|
US10250637B2 (en) | 2019-04-02 |
US20170223053A1 (en) | 2017-08-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20190207979A1 (en) | System and method of pre-establishing ssl session connections for faster ssl connection establishment | |
US11303614B2 (en) | System and method for providing improved optimization for secure session connections | |
US10862976B2 (en) | System and method for improving efficiency of SSL/TLS connections | |
US9705852B2 (en) | Proxy SSL authentication in split SSL for client-side proxy agent resources with content insertion | |
US10992709B2 (en) | Efficient use of IPsec tunnels in multi-path environment | |
US11082403B2 (en) | Intermediate network entity | |
US8549149B2 (en) | Systems and methods for providing client-side accelerated access to remote applications via TCP multiplexing | |
US8954595B2 (en) | Systems and methods for providing client-side accelerated access to remote applications via TCP buffering | |
US8533453B2 (en) | Method and system for configuring a server and dynamically loading SSL information | |
US8700695B2 (en) | Systems and methods for providing client-side accelerated access to remote applications via TCP pooling | |
US20060195840A1 (en) | Systems and methods for automatic installation and execution of a client-side acceleration program | |
US20060248581A1 (en) | Systems and methods for providing client-side dynamic redirection to bypass an intermediary | |
US11196833B1 (en) | Proxy server synchronizer | |
WO2019178942A1 (en) | Method and system for performing ssl handshake | |
US20200412708A1 (en) | Link protocol agents for inter-application communications | |
EP3286889A1 (en) | Secure in-band service detection | |
US10587733B2 (en) | Server-side HTTP translator |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: CITRIX SYSTEMS, INC., FLORIDA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DHANABALAN, PRAVEEN RAJA;RAMAIAH, CHAITRA MARALIGA;BHAT, AKSHATA;REEL/FRAME:048571/0710 Effective date: 20160129 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: ADVISORY ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
AS | Assignment |
Owner name: WILMINGTON TRUST, NATIONAL ASSOCIATION, DELAWARE Free format text: SECURITY INTEREST;ASSIGNOR:CITRIX SYSTEMS, INC.;REEL/FRAME:062079/0001 Effective date: 20220930 |
|
AS | Assignment |
Owner name: WILMINGTON TRUST, NATIONAL ASSOCIATION, AS NOTES COLLATERAL AGENT, DELAWARE Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:TIBCO SOFTWARE INC.;CITRIX SYSTEMS, INC.;REEL/FRAME:062113/0470 Effective date: 20220930 Owner name: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT, NEW YORK Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNORS:TIBCO SOFTWARE INC.;CITRIX SYSTEMS, INC.;REEL/FRAME:062113/0001 Effective date: 20220930 Owner name: BANK OF AMERICA, N.A., AS COLLATERAL AGENT, NORTH CAROLINA Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:TIBCO SOFTWARE INC.;CITRIX SYSTEMS, INC.;REEL/FRAME:062112/0262 Effective date: 20220930 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: CLOUD SOFTWARE GROUP, INC. (F/K/A TIBCO SOFTWARE INC.), FLORIDA Free format text: RELEASE AND REASSIGNMENT OF SECURITY INTEREST IN PATENT (REEL/FRAME 062113/0001);ASSIGNOR:GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT;REEL/FRAME:063339/0525 Effective date: 20230410 Owner name: CITRIX SYSTEMS, INC., FLORIDA Free format text: RELEASE AND REASSIGNMENT OF SECURITY INTEREST IN PATENT (REEL/FRAME 062113/0001);ASSIGNOR:GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT;REEL/FRAME:063339/0525 Effective date: 20230410 Owner name: WILMINGTON TRUST, NATIONAL ASSOCIATION, AS NOTES COLLATERAL AGENT, DELAWARE Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:CLOUD SOFTWARE GROUP, INC. (F/K/A TIBCO SOFTWARE INC.);CITRIX SYSTEMS, INC.;REEL/FRAME:063340/0164 Effective date: 20230410 |