SYSTEMS AND METHODS FOR HANDLING SSL SESSION NOT REUSABLE ACROSS MULTIPLE CORES

US 20140068245A1
Filed: 11/08/2013
Published: 03/06/2014
Est. Priority Date: 06/22/2009
Status: Active Grant

First Claim

Patent Images

1. A method of identifying an SSL session as not reusable among cores in a multi-core system, the method comprising:

a) indicating, by a first packet engine executing on a first core of a multi-core system, that an SSL session is not reusable;

b) identifying, by the first packet engine responsive to the indication, one or more or core identifiers of one or more cores of the multi-core system that have requested session information for the SSL session;

c) transmitting, by the first packet engine, to each of the identified one or more cores of the multi-core system a message indicating that the SSL session is not reusable;

d) receiving, by a second packet engine of a second core of the multi-core system, a request to reuse the SSL session established by the first core, the request comprising a session identifier of the SSL session, the session identifier identifying the first core as an establisher of the SSL session;

e) identifying, by the second packet engine, from the session identifier that the second core is not the establisher of the SSL session; and

f) determining not to reuse, by the second packet engine, the SSL session based on the message from the first core and the identification that the second core is not the establisher of the SSL session.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session.

9 Citations

View as Search Results

20 Claims

1. A method of identifying an SSL session as not reusable among cores in a multi-core system, the method comprising:
- a) indicating, by a first packet engine executing on a first core of a multi-core system, that an SSL session is not reusable;
  
  b) identifying, by the first packet engine responsive to the indication, one or more or core identifiers of one or more cores of the multi-core system that have requested session information for the SSL session;
  
  c) transmitting, by the first packet engine, to each of the identified one or more cores of the multi-core system a message indicating that the SSL session is not reusable;
  
  d) receiving, by a second packet engine of a second core of the multi-core system, a request to reuse the SSL session established by the first core, the request comprising a session identifier of the SSL session, the session identifier identifying the first core as an establisher of the SSL session;
  
  e) identifying, by the second packet engine, from the session identifier that the second core is not the establisher of the SSL session; and
  
  f) determining not to reuse, by the second packet engine, the SSL session based on the message from the first core and the identification that the second core is not the establisher of the SSL session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein step (a) further comprises receiving, by the first packet engine of the first core of the multi-core system deployed as an intermediary between the client and a server, a notification that the SSL session is not reusable.
  - 3. The method of claim 1, wherein step (a) further comprises determining, by the first packet engine of the first core of the multi-core system deployed as an intermediary between the client and a server, the SSL session is not reusable in accordance with a policy.
  - 4. The method of claim 1, wherein step (b) further comprises identifying, by the first packet engine, based on a bit pattern of data stored on the first core.
  - 5. The method of claim 1, wherein step (b) further comprises identifying the one or more cores via core identifiers included in requests for session information for the SSL session.
  - 6. The method of claim 1, wherein step (c) further comprises determining, by a flow distributor of the multi-core system, to forward the request to the second core based on a source port of the request.
  - 7. The method of claim 1, wherein step (e) further comprises decoding, by the second packet engine, a core identifier from a byte of the session identifier.
  - 8. The method of claim 1, wherein step (e) further comprises determining, by the second packet engine, that the session identifier is not in a session cache of the second core.
  - 9. The method of claim 1, wherein step (f) further comprises removing, by the second packet engine, information about the SSL session from a session cache of the second core.
  - 10. The method of claim 1, wherein step (f) further comprises establishing, by the second packet engine, a second SSL session responsive to the request.
  - 11. The method of claim 1, wherein step (f) further comprises determining, by the second packet engine, whether a predetermined maximum reuse threshold has been reached.

12. A system for identifying an SSL session as not reusable among cores in a multi-core system, the system comprising:
- a device comprising a plurality of cores;
  
  a first packet engine executable on a first core of the plurality of cores and configured to indicate that an SSL session is not reusable; and
  
  responsive to the indication, to identify one or more or core identifiers of one or more cores of the plurality of cores that have requested session information for the SSL session, and transmit to each of the identified one or more cores of the plurality of cores a message indicating that the SSL session is not reusable;
  
  a second packet engine executable on a second core of the plurality of cores and configured to receive a request to reuse the SSL session established by the first core, the request comprising a session identifier of the SSL session, the session identifier identifying the first core as an establisher of the SSL session;
  
  wherein second packet engine is configured to identify from the session identifier that the second core is not the establisher of the SSL session and determine not to reuse the SSL session based on the message from the first core and the identification that the second core is not the establisher of the SSL session.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, wherein the device is configured as an intermediary between the client and a server.
  - 14. The system of claim 12, wherein the first packet engine is further configured to determine that the SSL session is not reusable in accordance with a policy.
  - 15. The system of claim 12, wherein the first packet engine is further configured to identify one or more core identifiers based on a bit pattern of data stored on the first core.
  - 16. The system of claim 12, wherein the first packet engine is further configured to identify the one or more cores via core identifiers included in requests for session information for the SSL session.
  - 17. The system of claim 12, wherein a flow distributor of the device is configured to forward the request to the second core based on a source port of the request.
  - 18. The system of claim 12, wherein the second packet engine is further configured to decode a core identifier from a byte of the session identifier.
  - 19. The system of claim 12, wherein the second packet engine is further configured to determine that the session identifier is not in a session cache of the second core.
  - 20. The system of claim 12, wherein the second packet engine is further configured to determine whether a predetermined maximum reuse threshold has been reached.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Kanekar, Tushar

Granted Patent

US 9,276,957 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

H04L 2209/043   of tables, e.g. lookup, sub...

H04L 2209/30   Compression, e.g. Merkle-Da...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/80   Wireless network architectu...

H04L 63/0471   applying encryption by an i...

H04L 63/0485   Networking architectures fo...

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 63/166   at the transport layer

H04L 67/1027   Persistence of sessions dur...

H04L 67/1036   Load balancing of requests ...

H04L 9/3268   using certificate validatio...

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

SYSTEMS AND METHODS FOR HANDLING SSL SESSION NOT REUSABLE ACROSS MULTIPLE CORES

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR HANDLING SSL SESSION NOT REUSABLE ACROSS MULTIPLE CORES

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links