Systems and methods for policy driven fine grain validation of servers' SSL certificate for clientless SSLVPN access

US 9,948,633 B2
Filed: 10/28/2015
Issued: 04/17/2018
Est. Priority Date: 10/28/2015
Status: Active Grant

First Claim

Patent Images

1. A method for validation of a secure socket layer (SSL) certificate of a server for clientless SSL virtual private network (VPN) access, the method comprising:

receiving, by a device intermediary between a client and a plurality of servers, a first request from the client for establishing a clientless SSL VPN connection with a first server of the plurality of servers;

maintaining, by the device, one or more preconfigured policies for use by the device to restrict SSL certificate validation to a set of servers or domain names specified in the one or more preconfigured policies, each of the one or more preconfigured policies specifying;

(1) a respective condition that specifies at least one respective server or domain name of the set of servers or domain names, and (2) at least one respective action, triggered by the at least one respective condition and comprising a corresponding method of performing SSL certificate validation;

identifying, by the device from the first request, one or more parameters associated with the first server;

determining, by the device using the one or more parameters associated with the first server, that the first server in the first request meets a first condition of a first preconfigured policy of the one or more preconfigured policies which triggers a first action of the first preconfigured policy to validate a SSL certificate of the first server; and

performing, by the device responsive to the determination, the first action to validate the SSL certificate of the first server at the device for the clientless SSL VPN connection according to a SSL validation method corresponding to the first action, using one or more certificate authority (CA) certificates specified by the first preconfigured policy, the one or more CA certificates comprising a subset of a plurality of CA certificates available to the device; and

establishing the clientless SSL VPN connection responsive to validating the SSL certificate of the first server.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure is directed towards systems and methods for validation of a secure socket layer (SSL) certificate of a server for clientless SSL virtual private network (VPN) access. An intermediary device can receive a first request from a client for a clientless SSL VPN connection to a first server. The intermediary device can determine, using a preconfigured policy, that the first server in the first request meets a condition of the preconfigured policy. The intermediary device 801 can perform, responsive to the determination, an action to validate a SSL certificate of the first server using one or more certificate authority (CA) certificate files available to the intermediary device. The one or more CA certificate files can be specified by the preconfigured policy for the action.

20 Citations

View as Search Results

20 Claims

1. A method for validation of a secure socket layer (SSL) certificate of a server for clientless SSL virtual private network (VPN) access, the method comprising:
- receiving, by a device intermediary between a client and a plurality of servers, a first request from the client for establishing a clientless SSL VPN connection with a first server of the plurality of servers;
  
  maintaining, by the device, one or more preconfigured policies for use by the device to restrict SSL certificate validation to a set of servers or domain names specified in the one or more preconfigured policies, each of the one or more preconfigured policies specifying;
  
  (1) a respective condition that specifies at least one respective server or domain name of the set of servers or domain names, and (2) at least one respective action, triggered by the at least one respective condition and comprising a corresponding method of performing SSL certificate validation;
  
  identifying, by the device from the first request, one or more parameters associated with the first server;
  
  determining, by the device using the one or more parameters associated with the first server, that the first server in the first request meets a first condition of a first preconfigured policy of the one or more preconfigured policies which triggers a first action of the first preconfigured policy to validate a SSL certificate of the first server; and
  
  performing, by the device responsive to the determination, the first action to validate the SSL certificate of the first server at the device for the clientless SSL VPN connection according to a SSL validation method corresponding to the first action, using one or more certificate authority (CA) certificates specified by the first preconfigured policy, the one or more CA certificates comprising a subset of a plurality of CA certificates available to the device; and
  
  establishing the clientless SSL VPN connection responsive to validating the SSL certificate of the first server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising providing, by the device a user interface for preconfiguring, for each of the one or more preconfigured policies, the at least one respective action and a rule associated with the respective condition.
  - 3. The method of claim 2, wherein for each of the one or more preconfigured policies, the rule associated with the respective condition is configured to trigger the at least one respective action.
  - 4. The method of claim 1, wherein for each of the one or more preconfigured policies, the at least one respective action lists one or more corresponding CA certificates which comprise a subset of the plurality of CA certificates available to the device, to use in SSL certificate validation.
  - 5. The method of claim 1, further comprising providing a uniform resource locator (URL) to the client for initiating the first request for the clientless SSL VPN connection, the URL including an indication of the first server.
  - 6. The method of claim 1, wherein performing the first action to validate the SSL certificate comprises examining the SSL certificate for signature and expiry.
  - 7. The method of claim 1, wherein performing the first action to validate the SSL certificate comprises matching a fully qualified domain name of the first server in the first request with at least one of a common name or a domain name included in the SSL certificate of the first server.
  - 8. The method of claim 1, further comprising determining, by the device, responsive to determining a failure to validate the SSL certificate of the first server, at least one of dropping the requested clientless SSL VPN connection, or sending a message to the client indicating the failure.
  - 9. The method of claim 1, wherein the device reduces time consumed for processing the first request by validating the SSL certificate of the first server using the one or more specified CA certificates.
  - 10. The method of claim 1, further comprising:
    - receiving, by the device, a second request for establishing a clientless SSL VPN connection with a second server;
      
      determining, by the device, that the second server in the second request fails to satisfy a condition of any of the one or more preconfigured policies for clientless SSL VPN connection; and
      
      determining, by the device, to forego validation of a SSL certificate of the second server responsive to a failure to satisfy a condition of any of the one or more preconfigured policies.

11. A system for validation of a secure socket layer (SSL) certificate of a server for clientless SSL virtual private network (VPN) access, the system comprising:
- a device intermediary between a client and at least one server, the device including a storage memory and one or more processors to implement a policy engine and a validation engine, the device configured to receive a first request from the client for establishing a clientless SSL VPN connection with a first server of the at least one server;
  
  the storage memory configured to maintain one or more preconfigured policies for use by the device to restrict SSL certificate validation to a set of servers or domain names specified in the one or more preconfigured policies, each of the one or more preconfigured policies specifying;
  
  (1) a respective condition that specifies at least one respective server or domain name of the set of servers or domain names, and (2) at least one respective action, triggered by the at least one respective condition and comprising a corresponding method of performing SSL certificate validations;
  
  the one or more processors configured to identify, from the first request, one or more parameters associated with the first server;
  
  the policy engine executing on the device, the policy engine configured to determine, using the one or more parameters associated with the first server, that the first server in the first request meets a first condition of a first preconfigured policy of the one or more preconfigured policies that triggers a first action of the first preconfigured policy to validate a SSL certificate of the first server;
  
  the validation engine executing on the device, the validation engine configured to perform, responsive to the determination, a first action to validate the SSL certificate of the first server at the device for the clientless SSL VPN connection according to a SSL validation method corresponding to the first action, using one or more certificate authority (CA) certificates specified by the first preconfigured policy, the one or more CA certificates comprising a subset of a plurality of CA certificates available to the device, and establish the clientless SSL VPN connection responsive to validating the SSL certificate of the first server.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the one or more processors of the device is configured to provide a user interface for preconfiguring, for each of the one or more preconfigured policies, the at least one respective action and a rule associated with the respective condition.
  - 13. The system of claim 12, wherein for each of the one or more preconfigured policies, the rule associated with the respective condition is configured to trigger the at least one respective action.
  - 14. The system of claim 11, wherein for each of the one or more preconfigured policies, the at least one respective action lists one or more corresponding CA certificates which comprise a subset of the plurality of CA certificates available to the device, to use in SSL certificate validation.
  - 15. The system of claim 11, wherein a uniform resource locator (URL) is provided to the client for initiating the first request for the clientless SSL VPN connection, the URL including an indication of the first server.
  - 16. The system of claim 11, wherein the policy engine is further configured to perform the first action to validate the SSL certificate, the action including examining the SSL certificate for signature and expiry.
  - 17. The system of claim 11, wherein the policy engine is further configured to perform the first action to validate the SSL certificate, the action including matching a fully qualified domain name of the first server in the first request with at least one of a common name or a domain name included in the SSL certificate of the first server.
  - 18. The system of claim 11, wherein the one or more processors of the device is configured to, responsive to determining a failure to validate the SSL certificate of the first server, drop the requested clientless SSL VPN connection, or send a message to the client indicating the failure.
  - 19. The system of claim 11, wherein the one or more processors of the device is configured to reduce time consumed for processing the first request by validating the SSL certificate of the first server using the one or more specified CA certificates.
  - 20. The system of claim 11, wherein the one or more processors of the device is configured to receive a second request for establishing a clientless SSL VPN connection with a second server, and the policy engine is further configured to:
    - determine that the second server in the second request fails to satisfy any condition of any of the one or more preconfigured policies for clientless SSL VPN connection; and
      
      determine to forego validation of a SSL certificate of the second server responsive to a failure to satisfy any condition of any of the one or more preconfigured policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Khandelwal, Jaydeep, Gupta, Punit, Kumar, Arkesh
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Sherkat, Arezoo

Application Number

US14/925,410
Publication Number

US 20170126664A1
Time in Patent Office

902 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0272 Virtual private networks

H04L 63/0823 using certificates cryptogr...

Systems and methods for policy driven fine grain validation of servers' SSL certificate for clientless SSLVPN access

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for policy driven fine grain validation of servers' SSL certificate for clientless SSLVPN access

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others