Systems and methods for policy driven fine grain validation of servers' SSL certificate for clientless SSLVPN access

US 10,652,229 B2
Filed: 03/16/2018
Issued: 05/12/2020
Est. Priority Date: 10/28/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

(a) receiving, by an intermediary device that is intermediary to a plurality of clients and a plurality of servers, a request to access a server of the plurality of servers via a clientless secure socket layer (SSL) virtual private network (VPN) connection;

(b) accessing, by the intermediary device and responsive to the request, a plurality of preconfigured policies for use by the intermediary device to restrict SSL server certificate validation to a set of servers, from the plurality of servers, specified in the plurality of preconfigured policies, each preconfigured policy of the plurality of preconfigured policies specifying at least one respective server of the plurality of servers for which to apply SSL server certificate validation;

(c) identifying, by the intermediary device, for the server of the request, a preconfigured policy from the plurality of preconfigured policies, the intermediate device configured to apply SSL certificate validation for the server if the preconfigured policy indicates that the server is to be validated using one or more certificate authority (CA) certificates that are a subset of a plurality of CA certificates available to the intermediary device, and to forego the SSL certificate validation for the server if otherwise;

(d) performing, at the intermediary device responsive to the preconfigured policy indicating that the server is to be validated, validation of a SSL server certificate of the server using the one or more CA certificates specified by the preconfigured policy; and

(e) establishing, by the intermediary device responsive to the SSL server certificate validation, the clientless SSL VPN connection with the server.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure is directed towards systems and methods for validation of a secure socket layer (SSL) certificate of a server for clientless SSL virtual private network (VPN) access. An intermediary device can receive a first request from a client for a clientless SSL VPN connection to a first server. The intermediary device can determine, using a preconfigured policy, that the first server in the first request meets a condition of the preconfigured policy. The intermediary device 801 can perform, responsive to the determination, an action to validate a SSL certificate of the first server using one or more certificate authority (CA) certificate files available to the intermediary device. The one or more CA certificate files can be specified by the preconfigured policy for the action.

23 Citations

18 Claims

1. A method comprising:
- (a) receiving, by an intermediary device that is intermediary to a plurality of clients and a plurality of servers, a request to access a server of the plurality of servers via a clientless secure socket layer (SSL) virtual private network (VPN) connection;
  
  (b) accessing, by the intermediary device and responsive to the request, a plurality of preconfigured policies for use by the intermediary device to restrict SSL server certificate validation to a set of servers, from the plurality of servers, specified in the plurality of preconfigured policies, each preconfigured policy of the plurality of preconfigured policies specifying at least one respective server of the plurality of servers for which to apply SSL server certificate validation;
  
  (c) identifying, by the intermediary device, for the server of the request, a preconfigured policy from the plurality of preconfigured policies, the intermediate device configured to apply SSL certificate validation for the server if the preconfigured policy indicates that the server is to be validated using one or more certificate authority (CA) certificates that are a subset of a plurality of CA certificates available to the intermediary device, and to forego the SSL certificate validation for the server if otherwise;
  
  (d) performing, at the intermediary device responsive to the preconfigured policy indicating that the server is to be validated, validation of a SSL server certificate of the server using the one or more CA certificates specified by the preconfigured policy; and
  
  (e) establishing, by the intermediary device responsive to the SSL server certificate validation, the clientless SSL VPN connection with the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein each of the plurality of preconfigured policies defines a respective condition that specifies the at least one respective server of the plurality of servers for which to apply SSL server certificate validation, and a corresponding method of performing the SSL server certificate validation.
  - 3. The method of claim 1, wherein the servers of the set of servers specified in the preconfigured policies are identified by respective domain names.
  - 4. The method of claim 1, wherein (c) further comprises selecting the preconfigured policy from the plurality of preconfigured policies based at least on a condition of the preconfigured policy specifying the server.
  - 5. The method of claim 1, wherein (a) further comprises identifying, by the intermediary device from the request, one or more parameters associated with the server.
  - 6. The method of claim 5, further comprising determining, by the intermediary device, using the one or more parameters that the server of the request meets a condition of the preconfigured policy.
  - 7. The method of claim 1, wherein (d) further comprises using, by the intermediary device, a method of SSL server certificate validation specified by the preconfigured policy.
  - 8. The method of claim 1, further comprising matching a domain name of the server of the request with at least one of a common name or a domain name included in the one or more CA certificates.
  - 9. The method of claim 1, wherein the preconfigured policy specifies a list of one or more files for use to validate the SSL server certificate of the server.

10. A system comprising:
- an intermediary device comprising one or more hardware processors that is intermediary to a plurality of clients and a plurality of servers, wherein the intermediary device is configured to;
  
  receive a request to access a server of the plurality of servers via a clientless secure socket layer (SSL) virtual private network (VPN) connection;
  
  access, responsive to the request, a plurality of preconfigured policies for use by the device to restrict SSL server certificate validation to a set of servers, from the plurality of servers, specified in the plurality of preconfigured policies, each preconfigured policy of the plurality of preconfigured policies specifying at least one respective server of the plurality of servers for which to apply SSL server certificate validation;
  
  identify, for the server of the request, a preconfigured policy from the plurality of preconfigured policies, the intermediate device configured to apply SSL certificate validation for the server if the preconfigured policy indicates that the server is to be validated using one or more certificate authority (CA) certificates that are a subset of a plurality of CA certificates available to the intermediary device, and to forego the SSL certificate validation for the server if otherwise;
  
  perform, responsive to the preconfigured policy indicating that the server is to be validated, validation of a SSL server certificate of the server using the one or more CA certificates specified by the preconfigured policy; and
  
  establish, responsive to the SSL server certificate validation, the clientless SSL VPN connection with the server.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein each of the plurality of preconfigured defines a respective condition that specifies the at least one respective server of the plurality of servers for which to apply SSL server certificate validation, and a corresponding method of performing the SSL server certificate validation.
  - 12. The system of claim 10, wherein the servers of the set of servers specified in the preconfigured policies are identified by respective domain names.
  - 13. The system of claim 10, wherein the preconfigured policy is selected from the plurality of preconfigured policies based at least on a condition of the preconfigured policy specifying the server.
  - 14. The system of claim 10, wherein the intermediary device is further configured to identify, from the request, one or more parameters associated with the server.
  - 15. The system of claim 14, wherein the intermediary device is further configured to determine using the one or more parameters that the server of the request meets a condition of the preconfigured policy.
  - 16. The system of claim 10, wherein the intermediary device is further configured to use a method of SSL server certificate validation specified by the preconfigured policy.
  - 17. The system of claim 10, wherein the intermediary device is further configured to match a domain name of the server of the request with at least one of a common name or a domain name included in the one or more CA certificates.
  - 18. The system of claim 10, wherein the preconfigured policy specifies a list of one or more files of the intermediary device for use to validate the SSL server certificate of the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Khandelwal, Jaydeep, Gupta, Punit, Kumar, Arkesh
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Sherkat, Arezoo

Application Number

US15/923,977
Publication Number

US 20180212953A1
Time in Patent Office

788 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0272 Virtual private networks

H04L 63/0823 using certificates cryptogr...

Systems and methods for policy driven fine grain validation of servers' SSL certificate for clientless SSLVPN access

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for policy driven fine grain validation of servers' SSL certificate for clientless SSLVPN access

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links