SYSTEMS AND METHODS FOR FLASH CROWD CONTROL AND BATCHING OCSP REQUESTS VIA ONLINE CERTIFICATE STATUS PROTOCOL
First Claim
1. A method of batching Online Certificate Status Protocol (OCSP) requests and caching responses to the OCSP requests, the method comprising:
- (a) receiving, by an intermediary device between a plurality of clients and one or more servers, a first client certificate during a first Secure Socket Layer (SSL) handshake with a first client and a second client certificate during a second SSL handshake with a second client, each of the first client certificate and the second client certificate corresponding to a certificate authority;
(b) identifying, by the intermediary device, that a status of the first client certificate and a status of the second client certificate is not in a cache of the intermediary device;
(c) transmitting, by an Online Certificate Status Protocol (OCSP) responder of the intermediary device, a single request to an OCSP server to determine the status of each of the first client certificate and the second client certificate;
(d) determining, by the intermediary device from a single response received from the OCSP server, whether to establish a first SSL connection with the first client based on the status of the first client certificate and a second SSL connection with the second client based on the status of the second client certificate;
(e) storing, by the intermediary device, to the cache a first cache entry identifying the status of the first client certificate and a second cache entry identifying the status of second client certificate, each of the first cache entry and the second cache entry stored in association with the OCSP responder and with a cache expiry identified by the OCSP responder;
(f) receiving, by the intermediary device from the first client during a third SSL handshake, the first client certificate; and
(g) determining, by the intermediary, whether to establish a third SSL connection with the first client based on the status of the first client certificate identified via the cache.
8 Assignments
0 Petitions
Accused Products
Abstract
The present invention is directed towards systems and methods for batching OCSP requests and caching corresponding responses. An intermediary between a plurality of clients and one or more servers receives a first client certificate during a first SSL handshake with a first client and a second client certificate during a second SSL handshake with a second client. The intermediary may identify that the statuses of the client certificates are not in a cache of the intermediary. An OCSP responder of the intermediary may transmit a single request to an OCSP server to determine the statuses. The intermediary may determine, from a single response received from the OCSP server, whether to establish SSL connections with the clients based on the statuses. The intermediary may store the statuses to the cache for determining whether to establish a SSL connection in response to receiving a client certificate from the first client.
-
Citations
20 Claims
-
1. A method of batching Online Certificate Status Protocol (OCSP) requests and caching responses to the OCSP requests, the method comprising:
-
(a) receiving, by an intermediary device between a plurality of clients and one or more servers, a first client certificate during a first Secure Socket Layer (SSL) handshake with a first client and a second client certificate during a second SSL handshake with a second client, each of the first client certificate and the second client certificate corresponding to a certificate authority; (b) identifying, by the intermediary device, that a status of the first client certificate and a status of the second client certificate is not in a cache of the intermediary device; (c) transmitting, by an Online Certificate Status Protocol (OCSP) responder of the intermediary device, a single request to an OCSP server to determine the status of each of the first client certificate and the second client certificate; (d) determining, by the intermediary device from a single response received from the OCSP server, whether to establish a first SSL connection with the first client based on the status of the first client certificate and a second SSL connection with the second client based on the status of the second client certificate; (e) storing, by the intermediary device, to the cache a first cache entry identifying the status of the first client certificate and a second cache entry identifying the status of second client certificate, each of the first cache entry and the second cache entry stored in association with the OCSP responder and with a cache expiry identified by the OCSP responder; (f) receiving, by the intermediary device from the first client during a third SSL handshake, the first client certificate; and (g) determining, by the intermediary, whether to establish a third SSL connection with the first client based on the status of the first client certificate identified via the cache. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system of batching Online Certificate Status Protocol (OCSP) requests and caching responses to the OCSP requests, the system comprising:
-
an intermediary device receiving a plurality of client certificates during a Secure Socket Layer (SSL) handshake, a first client certificate during a first Secure Socket Layer (SSL) handshake with a first client and a second client certificate during a second SSL handshake with a second client, each of the first client certificate and the second client certificate corresponding to a certificate authority; a cache manager of the intermediary device identifying that a status of the first client certificate and a status of the second client certificate is not in a cache of the intermediary device; an Online Certificate Status Protocol (OCSP) responder of the intermediary device transmitting a single request to an OCSP server to the status of each of the first client certificate and the second client certificate; an SSL engine of the intermediary device determining, from a single response received from the OCSP server, whether to establish a first SSL connection with the first client based on the status of the first client certificate and a second SSL connection with the second client based on the status of the second client certificate; wherein the cache manager stores to the cache a first cache entry identifying the status of the first client certificate and a second cache entry identifying the status of second client certificate, each of the first cache entry and the second cache entry stored in association with the OCSP responder and with a cache expiry identified by the OCSP responder; and wherein the intermediary device receives from first client during a third SSL handshake, the first client certificate and the SSL engine determines whether to establish a third SSL connection with the first client based on the status of the first client certificate identified via the cache. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification