TRANSPARENT SECURE SOCKET LAYER

US 20080263215A1
Filed: 04/23/2007
Published: 10/23/2008
Est. Priority Date: 04/23/2007
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a transparent proxy coupled to a plurality of non-configured clients and coupled to one or more servers, the transparent proxy operable to intercept a request for a secured connection to a first server of the one or more servers, the request from a first non-configured client of the plurality of non-configured clients and including a server name indication extension, and to supply a proper certificate to the first non-configured client including the server name indication extension as a common name in the proper certificate.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various systems, apparatus, and methods include an apparatus comprising a transparent proxy coupled to a plurality of non-configured clients and coupled to one or more servers, the transparent proxy operable to intercept a request for a secured connection to a first server of the one or more servers, the request from a first non-configured client of the plurality of non-configured clients and including a server name indication extension, and to supply a proper certificate to the first non-configured client including the server name indication extension as a common name in the proper certificate.

Citations

28 Claims

1. An apparatus comprising:
- a transparent proxy coupled to a plurality of non-configured clients and coupled to one or more servers, the transparent proxy operable to intercept a request for a secured connection to a first server of the one or more servers, the request from a first non-configured client of the plurality of non-configured clients and including a server name indication extension, and to supply a proper certificate to the first non-configured client including the server name indication extension as a common name in the proper certificate.
- View Dependent Claims (2, 3, 4)
- - 2. The apparatus of claim 1, wherein the intercepted request includes a requirement to establish the connection using a transport layer security protocol.
  - 3. The apparatus of claim 1, wherein the transparent proxy includes one or more security and usage policies applicable to scan requests made by one or more of the plurality of non-configured clients, and is to determine if a requested connection between the first non-configured client and the first server violates any of the one or more security and usage policies, and if a violation does not exist, to establish a first secured connection between the transparent proxy and first non-configured client and a second connection between the transparent proxy and first server, the first connection and the second connections to allow resources to be accessed by the first non-configured client from the first one of the one or more servers.
  - 4. The apparatus of claim 3, wherein the transparent proxy is operable to block the connection between the first non-configured client and the first server if a determination is made that the connection violates any one of the security an usage policies for the first non-configured client.

5. A method comprising:
- intercepting at a transparent proxy a request from a non-configured client for a secure connection to a server, the request including a server name indication extension for the server; and
  
  supplying a proper certificate for the server to the non-configured client, the proper certificate including the server name indication extension as a common name in the proper certificate.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The method of claim 5, wherein intercepting a request includes intercepting a request to establish a connection using a transport layer security protocol.
  - 7. The method of claim 5, including scanning the request based on a set of security and usage policies, and if the request for the secure connection to the server does not violate any of the set security and usage policies, establishing an authenticated and secure connection between the non-configured client and the server through the transparent proxy.
  - 8. The method of claim 7, wherein establishing an authenticated and secure connection including cryptographic protocols between the non-configured client and the server through the transparent proxy including establishing a first secure connection between the non-configured client and the transparent proxy, and establishing a second secure connection between the transparent proxy and the server.
  - 9. The method of claim 7, wherein if the request for the secure connection to the server does violate any one of the set of set of policy regulations, blocking the connection between the non-configured client and server.
  - 10. The method of claim 5, supplying a proper certificate includes supplying the proper certificate to the non-configured client without causing a common name mismatch fault to occur at the non-configured client in response to supplying the proper certificate.
  - 11. The method of claim 5, wherein receiving at the transparent proxy the request includes receiving a list of suggested cipher suites supported by the non-configured client.
  - 12. The method of claim 5, wherein intercepting at the transparent proxy the request includes receiving information related to one or more data compression formats supported by the non-configured client.

13. An apparatus comprising:
- a transparent proxy coupled to a plurality of non-configured clients and coupled to one or more servers, the transparent proxy operable to intercept a request for a secured connection to a first server of the one or more servers, the request from a first non-configured client of the plurality of non-configured clients and including a meta data including an internet protocol address, the transparent proxy operable to establish a connection between the transparent proxy and the first server, and to supply a proper certificate to the first non-configured client including the common name for the first server, including generating a new certificate at the transparent proxy, the new certificate including subject information including a common name copied from the certificate from the server.
- View Dependent Claims (14, 15, 16)
- - 14. The apparatus of claim 13, wherein the intercepted request includes a requirement to establish the connection using a secure sockets layer protocol.
  - 15. The apparatus of claim 13, wherein the transparent proxy includes one or more security and usage policies applicable to scan requests made by one or more of the plurality of non-configured clients, and is to determine if a requested connection between the first non-configured client and the first server violates any of the one or more security and usage policies, and if a violation does not exist, to establish a first secured connection between the transparent proxy and first non-configured client and a second connection between the transparent proxy and first server, the first connection and the second connections to allow resources to be accessed by the first non-configured client from the first one of the one or more servers.
  - 16. The apparatus of claim 15, wherein the transparent proxy is operable to block the connection between the first non-configured client and the first server if a determination is made that the connection violates any one of the security an usage policies for the first non-configured client.

17. A method comprising:
- intercepting at a transparent proxy a request and a meta data from a non-configured client for a secure connection to a server, the meta data including an internet protocol address of the server;
  
  establishing a connection between the transparent proxy and the server using the internet protocol address;
  
  obtaining over the connection a proper certificate for the server including a common name for the server; and
  
  supplying the proper certificate for the server to the non-configured client, the proper certificate including the common name including generating a new certificate at the transparent proxy, the new certificate including subject information including a common name copied from the certificate from the server.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, including scanning the request based on a set of security and usage policies, and if the request for the network resource at the server does not violate any of the set of policy regulations, establishing an authenticated and secure connection between the non-configured client and the server through the transparent proxy.
  - 19. The method of claim 18, wherein if the request for the secure connection to the server does violate any one of the set of set of policy regulations, blocking the connection between the non-configured client and server.
  - 20. The method of claim 17, wherein supplying the proper certificate includes supplying the proper certificate to the non-configured client without causing a common name mismatch fault to occur at the non-configured client in response to supplying the proper certificate.

21. An apparatus comprising:
- a transparent proxy coupled to a plurality of non-configured clients and coupled to one or more servers, the transparent proxy operable to intercept a request for a secured connection to a first server of the one or more servers, the request from a first non-configured client of the plurality of non-configured clients and including a internet protocol address, to establish a connection between the transparent proxy and the reverse domain name system to lookup a host name associated with the internet protocol address, and to supply a proper certificate to the first non-configured client including the host name for the first server received from the reverse domain name system.
- View Dependent Claims (22, 23)
- - 22. The apparatus of claim 21, wherein the transparent proxy includes one or more security and usage policies applicable to scan requests made by one or more of the plurality of non-configured clients, and to determine if a requested connection between the first non-configured client and the first server violates any of the one or more security and usage policies, and if a violation does not exist, to establish a first secured connection between the transparent proxy and first non-configured client and a second connection between the transparent proxy and first server, the first connection and the second connections to allow resources to be accessed by the first non-configured client from the first one of the one or more servers.
  - 23. The apparatus of claim 21, wherein the transparent proxy is operable to block the connection between the first non-configured client and the first server if a determination is made that the connection violates any one of the security an usage policies for the first non-configured client.

24. A method comprising:
- intercepting at a transparent proxy a request from a non-configured client for a secure connection to a server, the request including an IP address of the server;
  
  performing a reverse domain name system lookup to determine a hostname associated with the IP address; and
  
  supplying a proper certificate for the server to the non-configured client, the proper certificate including the hostname received from the reverse domain name system lookup.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The method of claim 24, including scanning the request based on a set of policy regulations, and if the request for the network resource at the server does not violate any of the set of policy regulations, establishing an authenticated and secure connection between the non-configured client and the server through the transparent proxy.
  - 26. The method of claim 25, wherein establishing an authenticated and secure connection including cryptographic protocols between the non-configured client and the server through the transparent proxy including establishing a first secure connection between the non-configured client and the transparent proxy, and establishing a second secure connection between the transparent proxy and the server.
  - 27. The method of claim 25, wherein if the request for the secure connection to the server does violate any one of the set of set of policy regulations, blocking the connection between the non-configured client and server.
  - 28. The method of claim 24, wherein supplying the proper certificate includes supplying the proper certificate to the non-configured client without causing a common name mismatch fault to occur at the non-configured client in response to supplying the proper certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Schnellbaecher, Jan F.

Granted Patent

US 8,549,157 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/166   at the transport layer

TRANSPARENT SECURE SOCKET LAYER

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

TRANSPARENT SECURE SOCKET LAYER

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links