SYSTEMS AND METHODS FOR FLASH CROWD CONTROL AND BATCHING OCSP REQUESTS VIA ONLINE CERTIFICATE STATUS PROTOCOL

US 20110154018A1
Filed: 12/23/2009
Published: 06/23/2011
Est. Priority Date: 12/23/2009
Status: Active Grant

First Claim

Patent Images

1. A method of batching Online Certificate Status Protocol (OCSP) requests and caching responses to the OCSP requests, the method comprising:

(a) receiving, by an intermediary device between a plurality of clients and one or more servers, a first client certificate during a first Secure Socket Layer (SSL) handshake with a first client and a second client certificate during a second SSL handshake with a second client, each of the first client certificate and the second client certificate corresponding to a certificate authority;

(b) identifying, by the intermediary device, that a status of the first client certificate and a status of the second client certificate is not in a cache of the intermediary device;

(c) transmitting, by an Online Certificate Status Protocol (OCSP) responder of the intermediary device, a single request to an OCSP server to determine the status of each of the first client certificate and the second client certificate;

(d) determining, by the intermediary device from a single response received from the OCSP server, whether to establish a first SSL connection with the first client based on the status of the first client certificate and a second SSL connection with the second client based on the status of the second client certificate;

(e) storing, by the intermediary device, to the cache a first cache entry identifying the status of the first client certificate and a second cache entry identifying the status of second client certificate, each of the first cache entry and the second cache entry stored in association with the OCSP responder and with a cache expiry identified by the OCSP responder;

(f) receiving, by the intermediary device from the first client during a third SSL handshake, the first client certificate; and

(g) determining, by the intermediary, whether to establish a third SSL connection with the first client based on the status of the first client certificate identified via the cache.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed towards systems and methods for batching OCSP requests and caching corresponding responses. An intermediary between a plurality of clients and one or more servers receives a first client certificate during a first SSL handshake with a first client and a second client certificate during a second SSL handshake with a second client. The intermediary may identify that the statuses of the client certificates are not in a cache of the intermediary. An OCSP responder of the intermediary may transmit a single request to an OCSP server to determine the statuses. The intermediary may determine, from a single response received from the OCSP server, whether to establish SSL connections with the clients based on the statuses. The intermediary may store the statuses to the cache for determining whether to establish a SSL connection in response to receiving a client certificate from the first client.

Citations

20 Claims

1. A method of batching Online Certificate Status Protocol (OCSP) requests and caching responses to the OCSP requests, the method comprising:
- (a) receiving, by an intermediary device between a plurality of clients and one or more servers, a first client certificate during a first Secure Socket Layer (SSL) handshake with a first client and a second client certificate during a second SSL handshake with a second client, each of the first client certificate and the second client certificate corresponding to a certificate authority;
  
  (b) identifying, by the intermediary device, that a status of the first client certificate and a status of the second client certificate is not in a cache of the intermediary device;
  
  (c) transmitting, by an Online Certificate Status Protocol (OCSP) responder of the intermediary device, a single request to an OCSP server to determine the status of each of the first client certificate and the second client certificate;
  
  (d) determining, by the intermediary device from a single response received from the OCSP server, whether to establish a first SSL connection with the first client based on the status of the first client certificate and a second SSL connection with the second client based on the status of the second client certificate;
  
  (e) storing, by the intermediary device, to the cache a first cache entry identifying the status of the first client certificate and a second cache entry identifying the status of second client certificate, each of the first cache entry and the second cache entry stored in association with the OCSP responder and with a cache expiry identified by the OCSP responder;
  
  (f) receiving, by the intermediary device from the first client during a third SSL handshake, the first client certificate; and
  
  (g) determining, by the intermediary, whether to establish a third SSL connection with the first client based on the status of the first client certificate identified via the cache.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein step (a) further comprising receiving, by the intermediary device, one of the first client certificate or the second client certificate comprising an identifier of the certificate authority.
  - 3. The method of claim 1, wherein step (b) further comprises determining that a cache entry for the status of the first client certificate or the second client certificate has expired.
  - 4. The method of claim 1, wherein step (c) further comprises waiting, by the intermediary device, a predetermined time period for receipt of additional client certificates corresponding to the certificate authority before transmitting the single request.
  - 5. The method of claim 4, further comprising receiving by the intermediary device, a third client certificate before expiration of the predetermined time period and including in the single request to the OCSP server, a request for the status of the third client certificate.
  - 6. The method of claim 1, wherein step (c) further comprises identifying, by the intermediary device, the OCSP responder of a plurality of OCSP responders of the intermediary device, corresponding to the certificate authority.
  - 7. The method of claim 1, wherein step (d) further comprises establishing, by the intermediary device, SSL connections with those clients having client certificates with a good status and not establishing, by the intermediary device, SSL connection with those clients having client certificates not having a good status.
  - 8. The method of claim 1, wherein step (e) further comprises generating, by the intermediary device, a hash for one of the first cache entry or the second cache entry based on an issuer name, a subject name and a response.
  - 9. The method of claim 1, wherein step (e) further comprises storing by the intermediary device, one of the first cache entry or the second cache entry from responses to the OCSP responder separate from cache entries of responses to a second OCSP responder.
  - 10. The method of claim 1, wherein step (g) further comprises determining by the intermediary device to establish the third SSL connection based on the first cache entry identifying the status of the first client certificate as good and the first cache entry has not expired.

11. A system of batching Online Certificate Status Protocol (OCSP) requests and caching responses to the OCSP requests, the system comprising:
- an intermediary device receiving a plurality of client certificates during a Secure Socket Layer (SSL) handshake, a first client certificate during a first Secure Socket Layer (SSL) handshake with a first client and a second client certificate during a second SSL handshake with a second client, each of the first client certificate and the second client certificate corresponding to a certificate authority;
  
  a cache manager of the intermediary device identifying that a status of the first client certificate and a status of the second client certificate is not in a cache of the intermediary device;
  
  an Online Certificate Status Protocol (OCSP) responder of the intermediary device transmitting a single request to an OCSP server to the status of each of the first client certificate and the second client certificate;
  
  an SSL engine of the intermediary device determining, from a single response received from the OCSP server, whether to establish a first SSL connection with the first client based on the status of the first client certificate and a second SSL connection with the second client based on the status of the second client certificate;
  
  wherein the cache manager stores to the cache a first cache entry identifying the status of the first client certificate and a second cache entry identifying the status of second client certificate, each of the first cache entry and the second cache entry stored in association with the OCSP responder and with a cache expiry identified by the OCSP responder; and
  
  wherein the intermediary device receives from first client during a third SSL handshake, the first client certificate and the SSL engine determines whether to establish a third SSL connection with the first client based on the status of the first client certificate identified via the cache.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the intermediary device receives one of the first client certificate or the second client certificate comprising an identifier of the certificate authority.
  - 13. The system of claim 11, wherein the cache manager determines that one of the first cache entry or the second cache entry has expired.
  - 14. The system of claim 11, wherein the intermediary device waits a predetermined time period for receipt of additional client certificates corresponding to the certificate authority before transmitting the single request.
  - 15. The system of claim 14, wherein the intermediary device receives a third client certificate before expiration of the predetermined time period and the OCSP responder includes in the single request to the OCSP server, a request for the status of the third client certificate.
  - 16. The system of claim 11, wherein the intermediary device identifies the OCSP responder from a plurality of OCSP responders of the intermediary device corresponding to the certificate authority.
  - 17. The system of claim 11, wherein the SSL engine establishes SSL connections with those clients having client certificates with a good status and not establishing SSL connections with those clients having client certificates not having a good status.
  - 18. The system of claim 11, wherein the cache manager generates a hash for one of the first cache entry or the second cache entry based on an issuer name, a subject name and a response.
  - 19. The system of claim 11, wherein the cache manager stores one of the first cache entry or the second cache entry from responses to the OCSP responder separate from cache entries of responses to a second OCSP responder.
  - 20. The system of claim 11, wherein the SSL engine determines to establish the third SSL connection based on the first cache entry identifying the status of the first client certificate as good and the first cache entry has not expired.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Edstrom, Christofer, Kanekar, Tushar

Granted Patent

US 8,627,063 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/166   at the transport layer

H04L 67/566   Grouping or aggregating ser...

H04L 67/568   Storing data temporarily at...

H04L 67/5682   Policies or rules for updat...

H04L 9/3268   using certificate validatio...

H04L 9/50   using hash chains, e.g. blo...

SYSTEMS AND METHODS FOR FLASH CROWD CONTROL AND BATCHING OCSP REQUESTS VIA ONLINE CERTIFICATE STATUS PROTOCOL

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR FLASH CROWD CONTROL AND BATCHING OCSP REQUESTS VIA ONLINE CERTIFICATE STATUS PROTOCOL

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links