SYSTEMS AND METHODS FOR SPLIT PROXYING OF SSL VIA WAN APPLIANCES

US 20110264905A1
Filed: 04/21/2010
Published: 10/27/2011
Est. Priority Date: 04/21/2010
Status: Active Grant

First Claim

Patent Images

1. A method for split proxying Secure Socket Layer (SSL) communications across intermediaries deployed between a client and a server, the method comprising:

a) establishing, by a first intermediary in communication with a server, a first Secure Socket Layer (SSL) session with a server;

b) establishing, by a second intermediary in communication with one or more client, a second Secure Socket Layer (SSL) session with a client using SSL configuration information received from the first intermediary, the second intermediary and the first intermediary communicating via a third SSL session;

c) decrypting, by the first intermediary, encrypted data received from the server using a first session key of the first SSL session;

d) transmitting, by the first intermediary to the second intermediary via the third SSL session, the data encrypted using a third session key of the third SSL session;

e) decrypting, by the second intermediary, the data encrypted via the third SSL session using the third session key; and

f) transmitting, by the second intermediary to the client, the data encrypted using a second session key of the second SSL session.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed towards systems and methods for split proxying Secure Socket Layer (SSL) communications via intermediaries deployed between a client and a server. The method includes establishing, by a server-side intermediary, a SSL session with a server. A client-side intermediary may establish a second SSL session with a client using SSL configuration information received from the server-side intermediary. Both intermediaries may communicate via a third SSL session. The server-side intermediary may decrypt data received from the server using the first SSL session'"'"'s session key. The server-side intermediary may transmit to the client-side intermediary, via the third SSL session, data encrypted using the third SSL session'"'"'s session key. The client-side intermediary may decrypt the encrypted data using the third SSL session'"'"'s session key. The client-side intermediary may transmit to the client the data encrypted using the second SSL session'"'"'s session key.

185 Citations

20 Claims

1. A method for split proxying Secure Socket Layer (SSL) communications across intermediaries deployed between a client and a server, the method comprising:
- a) establishing, by a first intermediary in communication with a server, a first Secure Socket Layer (SSL) session with a server;
  
  b) establishing, by a second intermediary in communication with one or more client, a second Secure Socket Layer (SSL) session with a client using SSL configuration information received from the first intermediary, the second intermediary and the first intermediary communicating via a third SSL session;
  
  c) decrypting, by the first intermediary, encrypted data received from the server using a first session key of the first SSL session;
  
  d) transmitting, by the first intermediary to the second intermediary via the third SSL session, the data encrypted using a third session key of the third SSL session;
  
  e) decrypting, by the second intermediary, the data encrypted via the third SSL session using the third session key; and
  
  f) transmitting, by the second intermediary to the client, the data encrypted using a second session key of the second SSL session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein step (a) further comprises transmitting, by the second intermediary to the first intermediary, a request from the client to establish a transport layer connection with the server, the first intermediary modifying the request to indicate to the second intermediary to perform Secure Socket Layer (SSL) acceleration.
  - 3. The method of claim 1, wherein step (b) further comprises transmitting, by the first intermediary to the second intermediary, a message identifying SSL configuration for client-side SSL proxying.
  - 4. The method of claim 3, wherein step (b) further comprises transmitting, by the second intermediary, to the client a server hello, a server certificate and a server hello done message using the SSL configuration received from the first intermediary.
  - 5. The method of claim 3, wherein step (b) further comprises transmitting, by the first intermediary to the second intermediary, a request to perform split SSL proxying.
  - 6. The method of claim 1, further comprising transmitting, by the second intermediary to the first intermediary, a request for a crypto operation.
  - 7. The method of claim 6, further comprising performing, by the first intermediary, the requested crypto operation on behalf of the second intermediary and communicating to second intermediary a response to the request.
  - 8. The method of claim 1, wherein step (c) further comprises compressing by the first intermediary the received data using a compression history stored on the first intermediary.
  - 9. The method of claim 1, wherein step (e) further comprises decompressing by the second intermediary the received data using the compression history stored on the second intermediary.
  - 10. The method of claim 1, further comprising identifying, by the first intermediary and the second intermediary, the third SSL session from a pool of pre-established SSL sessions maintained by each of the first intermediary and the second intermediary.

11. A system for split proxying Secure Socket Layer (SSL) communications across intermediaries deployed between a client and a server, comprising:
- means for establishing, by a first intermediary in communication with a server, a first Secure Socket Layer (SSL) session with a server;
  
  means for establishing, by a second intermediary in communication with one or more client, a second Secure Socket Layer (SSL) session with a client using SSL configuration information received from the first intermediary, the second intermediary and the first intermediary communicating via a third SSL session;
  
  means for decrypting, by the first intermediary, encrypted data received from the server using a first session key of the first SSL session;
  
  means for transmitting, by the first intermediary to the second intermediary via the third SSL session, the data encrypted using a third session key of the third SSL session;
  
  means for decrypting, by the second intermediary, the data encrypted via the third SSL session using the third session key; and
  
  means for transmitting, by the second intermediary to the client, the data encrypted using a second session key of the second SSL session.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, further comprising means for transmitting, by the second intermediary to the first intermediary, a request from the client to establish a transport layer connection with the server, the first intermediary modifying the request to indicate to the second intermediary to perform Secure Socket Layer (SSL) acceleration.
  - 13. The system of claim 11, further comprising means for transmitting, by the first intermediary to the second intermediary, a message identifying SSL configuration for client-side SSL proxying.
  - 14. The system of claim 13, further comprising means for transmitting, by the second intermediary, to the client a server hello, a server certificate and a server hello done message using the SSL configuration received from the first intermediary.
  - 15. The system of claim 13, further comprising means for transmitting, by the first intermediary to the second intermediary, a request to perform split SSL proxying.
  - 16. The system of claim 11, further comprising means for transmitting, by the second intermediary to the first intermediary, a request for a crypto operation.
  - 17. The system of claim 16, further comprising means for performing, by the first intermediary, the requested crypto operation on behalf of the second intermediary and communicating to second intermediary a response to the request.
  - 18. The system of claim 11, further comprising means for compressing, by the first intermediary, the received data using a compression history stored on the first intermediary.
  - 19. The system of claim 11, further comprising means for decompressing, by the second intermediary, the received data using the compression history stored on the second intermediary.
  - 20. The system of claim 11, further comprising means for identifying, by the first intermediary and the second intermediary, the third SSL session from a pool of pre-established SSL sessions maintained by each of the first intermediary and the second intermediary.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Ovsiannikov, Michael

Granted Patent

US 8,543,805 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0464   using hop-by-hop encryption...

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

H04L 67/2876   Pairs of inter-processing e...

H04L 67/565   Conversion or adaptation of...

H04L 67/5651   Reducing the amount or size...

SYSTEMS AND METHODS FOR SPLIT PROXYING OF SSL VIA WAN APPLIANCES

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

185 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR SPLIT PROXYING OF SSL VIA WAN APPLIANCES

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

185 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links