WO2004036360A2 - Client-side ssl connection completion through secure proxy server - Google Patents

Client-side ssl connection completion through secure proxy server Download PDF

Info

Publication number
WO2004036360A2
WO2004036360A2 PCT/US2003/032570 US0332570W WO2004036360A2 WO 2004036360 A2 WO2004036360 A2 WO 2004036360A2 US 0332570 W US0332570 W US 0332570W WO 2004036360 A2 WO2004036360 A2 WO 2004036360A2
Authority
WO
WIPO (PCT)
Prior art keywords
client
connection information
application server
ssl
recited
Prior art date
Application number
PCT/US2003/032570
Other languages
French (fr)
Other versions
WO2004036360A3 (en
Inventor
Matthew Blythe
Alan Frindell
Original Assignee
Ingrian Networks, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ingrian Networks, Inc. filed Critical Ingrian Networks, Inc.
Priority to AU2003284204A priority Critical patent/AU2003284204A1/en
Publication of WO2004036360A2 publication Critical patent/WO2004036360A2/en
Publication of WO2004036360A3 publication Critical patent/WO2004036360A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Definitions

  • the present invention relates to secure connection techniques and, more specifically, to providing secure SSL connection through a third party server.
  • FIG. 1 is a block diagram of a network communications system 100 using Secure Socket Layer (SSL).
  • SSL is a protocol used for transmitting private documents. SSL works by using a public key to encrypt data for transfer over the SSL connection. The SSL protocol can be used to safely obtain confidential user information, such as credit card numbers.
  • system 100 includes client computers, of which only one client 102 is shown, communicating through a network 104, such as the Internet, to an application server 108 via an SSL connection 105 and an intermediate server 106.
  • application server 108 employs a proprietary protocol.
  • SSL Secure Sockets Layer
  • performance degradation of the application server is encountered due to the nature of SSL.
  • SSL acceleration techniques are commonly used to address the performance degradation problem.
  • the design of the SSL protocol can involve the exchange of certificates to prove identity.
  • the proprietary protocol, running on application server 108 may rely on the information in the client's certificate to authenticate the client to the server.
  • Traditional SSL acceleration techniques such as acting as a proxy between the client and the application server, prevent the client's certificate information from reaching the application server.
  • Application servers are herein referred to as back-end application servers.
  • the lost properties include SSL version information, symmetric cipher choice and strength, and any client certificate information that was presented by the client when establishing the SSL connection.
  • Information on such properties is herein referred to as client-side SSL connection information.
  • HTTP headers may be used for passing the client-side SSL connection information to backend application servers.
  • HTTP headers may be used for passing the client-side SSL connection information to backend application servers.
  • the protocol is not HTTP and is arbitrary, there is no defined way to send the client-side SSL connection information back to the back-end application servers.
  • FIG. 1 is a block diagram of an network communications system 100 using Secure Sockets Layer (SSL).
  • SSL Secure Sockets Layer
  • FIG. 2A is a high-level block diagram that illustrates aspects of a computerized environment 200 in which client-side SSL connection information can be sent to the relevant back-end application server, according to certain embodiments.
  • FIG. 2B is a flowchart that illustrates some of the steps that the facility performs for allowing the back-end application server to access client-side SSL connection information, according to certain embodiments.
  • FIG. 3 is a block diagram that illustrates some of the components typically incorporated in at least some of the computer systems and other devices on which the facility executes.
  • FIG. 4 is a block diagram that illustrates one sample format into which the client-side SSL connection information can be converted.
  • a facility for sending client-side SSL connection information to a back-end application server that is using an arbitrary network protocol over SSL is described.
  • a software implementation of the facility is described.
  • the facility may be a software implementation, or a hardware implementation, or a combination thereof and may vary from implementation to implementation.
  • the current embodiments are not restricted to any particular implementation.
  • FIG. 2A is a high-level block diagram that illustrates aspects of a computerized environment 200 in which client-side SSL connection information can be sent to the relevant back-end application server, according to certain embodiments.
  • the environment 200 includes a client 202, a network 204, a proxy server 206 and a back- end server 208. There may be more than one client and more than one back-end server.
  • retrieval and subsequent conversion of the client-side SSL connection information associated with the client is performed with the aid of one or more other computer systems, such as proxy server 206.
  • Components of the facility may reside on and/or execute on any combination of these computer systems, and intermediate results from the conversion may similarly reside on any combination of these computer systems.
  • the facility may be embodied in a single device or distributed among various devices.
  • the proxy server such as proxy server 206, serves as an SSL termination device with respect to client 202 that is _ a e p ing to send a datcTStream over an connec ion o ⁇ au ⁇ -t: ⁇ applica on server 208.
  • the client establishes an SSL connection with the proxy server, instead, because the proxy server is the SSL termination device.
  • the proxy server retrieves the client-side SSL connection information that is associated with that particular client.
  • the proxy server then converts the client-side SSL connection information into a format that can be pre-pended to the data stream sent by the client and that is destined for the back-end application server.
  • the proxy server converts the client-side SSL connection information in a manner that is independent of the underlying application protocol of the back-end application server.
  • Such a technique of sending client-side SSL connection information to the back-end application server ensures that the back-end application server can access the client-side SSL connection information irrespective of the underlying application protocol employed by the back-end application server.
  • the computer systems 200 shown in FIG. 2A are connected via network 204, which may use a variety of different networking technologies, including wired, guided or line-of-sight optical, and radio frequency networking.
  • the network includes the public switched telephone network.
  • Network connections established via the network may be fully-persistent, session-based, or intermittent, such as packet-based. While the facility typically operates in an environment such as is shown in FIG. 2A and described above, those skilled in the art will appreciate the facility may also operate in a wide variety of other environments.
  • FIG. 2B is a flowchart that illustrates some of the steps that the facility performs for allowing the back-end application server to access client-side SSL connection information, according to certain embodiments.
  • the proxy server listens for the client to request an SSL connection with the back-end application server, and the proxy server intercepts the request.
  • the proxy server acting as proxy for the back-end application server, establishes an SSL connection, such as connection A shown in FIG. 2A, with the client.
  • e proxy server retrieves x ⁇ e cueni-si ⁇ e L connection information associated with the client.
  • Client-side SSL connection information includes any information that can be used to identify and/or authenticate the client. Examples of client-side SSL connection information comprise SSL protocol version number, Cipher choice and strength, any and all information in the client certificate.
  • the proxy server acting as proxy for the client, establishes a connection to the back-end application server.
  • the connection to the back-end application server may be a clear connection or optionally, an SSL connection, such as connection B shown in FIG. 2A.
  • the proxy server converts the client-side SSL connection information into a format that is suitable for sending to the back-end application server.
  • the proxy server sends the converted client-side SSL connection information to the back-end application server by pre-pending the converted client-side SSL connection information to the original data stream sent by the client and intended for the back-end application server.
  • the back-end applications server can use the client-side SSL connection information to identify and/or authenticate the client.
  • identification and/or authentication is complete, a secure tunnel is opened between the client and the back-end application server.
  • the proxy server begins forwarding application-protocol-specific data to and from the client and the back- end application server using the secure tunnel between the client and the back-end application server.
  • FIG. 3 is a block diagram showing some of the components typically incorporated in at least some of the computer systems and other devices on which the facility executes, including some or all of the server and client computer systems shown in FIG. 2A.
  • These computer systems and devices 300 may include one or more central processing units (“CPUs") 301 for executing computer programs; a computer memory 302 for storing programs and data while they are being used; a persistent storage device 303, such as a hard drive, for persistently storing programs and data; a compu er-readab e me a drive 304, sucn as a - rve, or rea ⁇ ing programs and data stored on a computer-readable medium; and a network connection 305 for connecting the computer system to other computer systems, such as via the Internet, to exchange programs and/or data. While computer systems configured as described above are typically used to support the operation of the facility, those skilled in the art will appreciate that the facility may be implemented using devices of various types and configurations, and having various components.
  • FIG. 4 is a block diagram that illustrates one example format 400 into which the client-side SSL connection information can be converted.
  • the converted client-side SSL connection information 402 comprises a Version number of the SSL protocol, a Length information, a certificate subject, and the Carriage Return and Line Feed (CRLF) characters.
  • the length information is for specifying the length of the certification subject plus the CRLF characters.
  • the certificate subject is information from the client certificate that provides information on the identity of the client.
  • the certificate subject can be sent in raw ASCII characters.
  • the CRLF characters are used as a sentinel at the end of the client certificate information and the beginning of the original data stream.

Abstract

A method, apparatus, and computer readable medium for establishing a client connection (224) to a proxy server (220), and having the proxy server (220) convert (230) the client information and append it to a data stream sent to a back end application server (232).

Description

CLIENT-SIDE SSL CONNECTION COMPLETION THROUGH SECURE PROXY SERVER
FIELD OF THE INVENTION
The present invention relates to secure connection techniques and, more specifically, to providing secure SSL connection through a third party server.
BACKGROUND OF THE INVENTION
FIG. 1 is a block diagram of a network communications system 100 using Secure Socket Layer (SSL). SSL is a protocol used for transmitting private documents. SSL works by using a public key to encrypt data for transfer over the SSL connection. The SSL protocol can be used to safely obtain confidential user information, such as credit card numbers.
Included in system 100 are client computers, of which only one client 102 is shown, communicating through a network 104, such as the Internet, to an application server 108 via an SSL connection 105 and an intermediate server 106. Assume that application server 108 employs a proprietary protocol. When SSL is used, however, performance degradation of the application server is encountered due to the nature of SSL. SSL acceleration techniques are commonly used to address the performance degradation problem. The design of the SSL protocol can involve the exchange of certificates to prove identity. The proprietary protocol, running on application server 108, may rely on the information in the client's certificate to authenticate the client to the server. Traditional SSL acceleration techniques, such as acting as a proxy between the client and the application server, prevent the client's certificate information from reaching the application server. Application servers are herein referred to as back-end application servers.
Restated, when an SSL connection is established, there are certain properties of the SSL connection which are lost to the back-end application servers if the SSL connection is handled by a proxy server which sits in front of the back-end application servers. The lost properties include SSL version information, symmetric cipher choice and strength, and any client certificate information that was presented by the client when establishing the SSL connection. Information on such properties is herein referred to as client-side SSL connection information.
Often times, primarily for authentication and security purposes, applications running on the back-end application server need access to the client-side SSL connection information. If the underlying application protocol is HTTP, HTTP headers may be used for passing the client-side SSL connection information to backend application servers. However, if the protocol is not HTTP and is arbitrary, there is no defined way to send the client-side SSL connection information back to the back-end application servers.
Accordingly, what are needed are methods and techniques for accelerating traditional SSL connections through third party proprietary network protocols that still allow for client-side SSL connection information to reach a back-end application server.
DRAWINGS
The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar elements and in which:
FIG. 1 is a block diagram of an network communications system 100 using Secure Sockets Layer (SSL).
FIG. 2A is a high-level block diagram that illustrates aspects of a computerized environment 200 in which client-side SSL connection information can be sent to the relevant back-end application server, according to certain embodiments. FIG. 2B is a flowchart that illustrates some of the steps that the facility performs for allowing the back-end application server to access client-side SSL connection information, according to certain embodiments.
FIG. 3 is a block diagram that illustrates some of the components typically incorporated in at least some of the computer systems and other devices on which the facility executes.
FIG. 4 is a block diagram that illustrates one sample format into which the client-side SSL connection information can be converted.
DES'
A facility for sending client-side SSL connection information to a back-end application server that is using an arbitrary network protocol over SSL is described. For purposes of explanation, a software implementation of the facility is described. However, the facility may be a software implementation, or a hardware implementation, or a combination thereof and may vary from implementation to implementation. The current embodiments are not restricted to any particular implementation.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the present invention. U.S. Patent Application No. 10/205,575 (Atty. Docket No. 36321-8010.US01 ), filed July 24, 2002, entitled "Method and System for Caching Secure Web Content", by Chawla et al., is herein incorporated by reference
FIG. 2A is a high-level block diagram that illustrates aspects of a computerized environment 200 in which client-side SSL connection information can be sent to the relevant back-end application server, according to certain embodiments. The environment 200 includes a client 202, a network 204, a proxy server 206 and a back- end server 208. There may be more than one client and more than one back-end server.
In certain embodiments, retrieval and subsequent conversion of the client-side SSL connection information associated with the client is performed with the aid of one or more other computer systems, such as proxy server 206. Components of the facility may reside on and/or execute on any combination of these computer systems, and intermediate results from the conversion may similarly reside on any combination of these computer systems. The facility may be embodied in a single device or distributed among various devices. In certain embodiments, the proxy server, such as proxy server 206, serves as an SSL termination device with respect to client 202 that is _ a e p ing to send a datcTStream over an connec ion o ϋauκ-t:πα applica on server 208.
In such embodiments, the client establishes an SSL connection with the proxy server, instead, because the proxy server is the SSL termination device. When the client establishes the SSL connection with the proxy server, the proxy server retrieves the client-side SSL connection information that is associated with that particular client. The proxy server then converts the client-side SSL connection information into a format that can be pre-pended to the data stream sent by the client and that is destined for the back-end application server.
The proxy server converts the client-side SSL connection information in a manner that is independent of the underlying application protocol of the back-end application server. Such a technique of sending client-side SSL connection information to the back-end application server ensures that the back-end application server can access the client-side SSL connection information irrespective of the underlying application protocol employed by the back-end application server.
The computer systems 200 shown in FIG. 2A are connected via network 204, which may use a variety of different networking technologies, including wired, guided or line-of-sight optical, and radio frequency networking. In some embodiments, the network includes the public switched telephone network. Network connections established via the network may be fully-persistent, session-based, or intermittent, such as packet-based. While the facility typically operates in an environment such as is shown in FIG. 2A and described above, those skilled in the art will appreciate the facility may also operate in a wide variety of other environments.
FIG. 2B is a flowchart that illustrates some of the steps that the facility performs for allowing the back-end application server to access client-side SSL connection information, according to certain embodiments. At block 220, the proxy server listens for the client to request an SSL connection with the back-end application server, and the proxy server intercepts the request. At block 222, the proxy server, acting as proxy for the back-end application server, establishes an SSL connection, such as connection A shown in FIG. 2A, with the client. At block 224, when the client has established an connection with the proxy server, e proxy server retrieves xπe cueni-siαe L connection information associated with the client. Client-side SSL connection information includes any information that can be used to identify and/or authenticate the client. Examples of client-side SSL connection information comprise SSL protocol version number, Cipher choice and strength, any and all information in the client certificate.
At block 226 of FIG. 2B, the proxy server, acting as proxy for the client, establishes a connection to the back-end application server. The connection to the back-end application server may be a clear connection or optionally, an SSL connection, such as connection B shown in FIG. 2A. At block 228, the proxy server converts the client-side SSL connection information into a format that is suitable for sending to the back-end application server.
At block 230, the proxy server sends the converted client-side SSL connection information to the back-end application server by pre-pending the converted client-side SSL connection information to the original data stream sent by the client and intended for the back-end application server. Once the back-end application server receives the client-side SSL connection information, the back-end applications server can use the client-side SSL connection information to identify and/or authenticate the client. When identification and/or authentication is complete, a secure tunnel is opened between the client and the back-end application server. At block 232 of FIG. 2B, the proxy server begins forwarding application-protocol-specific data to and from the client and the back- end application server using the secure tunnel between the client and the back-end application server.
FIG. 3 is a block diagram showing some of the components typically incorporated in at least some of the computer systems and other devices on which the facility executes, including some or all of the server and client computer systems shown in FIG. 2A. These computer systems and devices 300 may include one or more central processing units ("CPUs") 301 for executing computer programs; a computer memory 302 for storing programs and data while they are being used; a persistent storage device 303, such as a hard drive, for persistently storing programs and data; a compu er-readab e me a drive 304, sucn as a - rve, or reaαing programs and data stored on a computer-readable medium; and a network connection 305 for connecting the computer system to other computer systems, such as via the Internet, to exchange programs and/or data. While computer systems configured as described above are typically used to support the operation of the facility, those skilled in the art will appreciate that the facility may be implemented using devices of various types and configurations, and having various components.
FIG. 4 is a block diagram that illustrates one example format 400 into which the client-side SSL connection information can be converted. In FIG. 4, the converted client-side SSL connection information 402 comprises a Version number of the SSL protocol, a Length information, a certificate subject, and the Carriage Return and Line Feed (CRLF) characters. The length information is for specifying the length of the certification subject plus the CRLF characters. The certificate subject is information from the client certificate that provides information on the identity of the client.
At the beginning of a connection to the back-end application server, 2 bytes are added (in network byte order) to specify the version of the SSL protocol being used.
Next, another 2 bytes are added (in network byte order) to specify the length of the certificate subject AND the CRLF characters. The length of the certificate subject AND the CRLF characters can be calculated using equation 1 :
EQUATION 1 length(certificate subject) + 2
The certificate subject can be sent in raw ASCII characters. The CRLF characters are used as a sentinel at the end of the client certificate information and the beginning of the original data stream.
When the feature for sending client-side SSL information to the back-end application server is enabled and either the connection did not require client certificates or if the connection was an SSL resume, then an empty header of the version could be sent followed by the length of the CRLF, 2, and the CRLF characters, as shown in equation 2: E ION 2
0102\r\n[connection data] (where 1 is the version number)
In the foregoing specification, embodiments of the invention have been described with reference to numerous specific details that may vary from implementation to implementation. Thus, the sole and exclusive indicator of what is the invention, and is intended by the applicants to be the invention, is the set of claims that issue from this application, in the specific form in which such claims issue, including any subsequent correction. Any express definitions set forth herein for terms contained in such claims shall govern the meaning of such terms as used in the claims. Hence, no limitation, element, property, feature, advantage or attribute that is not expressly recited in a claim should limit the scope of such claim in any way. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.

Claims

What is claimed is
1. A method for sending SSL connection information to a back-end application server, the method comprising the computer-implemented acts of: retrieving said SSL connection information when a client establishes an SSL session that is associated with said SSL connection information; establishing a connection with said back-end application server; converting said SSL connection information into a form suitable for attaching to a data stream that is sent by said client during said SSL session and destined for said back-end application server; attaching said converted SSL connection information to said data stream to form a modified data stream; and forwarding said modified data stream to said back-end application server.
2. The method as recited in Claim 1 , wherein converting said SSL connection information involves using a format that is independent of an underlying protocol associated with said back-end application server.
3. The method as recited in Claim 1 , wherein attaching said converted SSL connection information involves pre-pending said converted SSL connection information to said data stream such that said application back-end server reads said converted SSL connection information before reading said data stream.
4. The method as recited in Claim 1 , wherein said back-end application server uses said converted SSL connection information to identify said client.
5. The method as recited in Claim 1 , wherein said back-end application server uses said converted SSL connection information to authenticate said client.
6. The method as recited in Claim 5, further comprising establishing a secure communication tunnel between said client and said back-end application server after said back-end server has authenticated said client.
7. The method as recited in Claim 6, wherein said secure communication tunnel is used for passing secure data between said client and said back-end application server, using an application-specific protocol associated with said back-end application server, during a duration of said SSL session.
8. The method as recited in Claim 1 , wherein said converted SSL connection information includes a certificate subject information from a client certificate that is associated with said client.
9. The method as recited in Claim 1 , wherein said converted SSL connection information includes a cipher-information that is associated with a cipher that is associated with said data stream.
10. The method as recited in Claim 1 , wherein said converted SSL connection information includes contents of an entire client certificate information that is associated with said client.
11. The method as recited in Claim 1 , wherein said converted SSL connection information includes an SSL protocol version number that is associated with said SSL connection.
12. The method as recited in Claim 1 , wherein said converted SSL connection information includes a length information that is associated with a total number of bytes of said converted SSL connection information.
13. The method as recited in Claim 10, wherein said converted SSL connection information includes a sentinel indication to denote an end of said client certificate information.
14. The method as recited in Claim 13, wherein said sentinel indication includes a carriage-return character.
15. The method as recited in Claim 13, wherein said sentinel indication includes a line-feed character.
16. A computer-readable medium carrying one or more sequences of instructions for sending SSL connection information to a back-end application server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of: retrieving said SSL connection information when a client establishes an SSL session that is associated with said SSL connection information; establishing a connection with said back-end application server; converting said SSL connection information into a form suitable for attaching to a data stream that is sent by said client during said SSL session and destined for said back-end application server; attaching said converted SSL connection information to said data stream to form a modified data stream; and forwarding said modified data stream to said back-end application server.
17. The computer-readable medium as recited in Claim 16, wherein converting said SSL connection information involves using a format that is independent of an underlying protocol associated with said back-end application server.
18. The computer-readable medium as recited in Claim 16, wherein attaching said converted SSL connection information involves pre-pending said converted SSL connection information to said data stream such that said application back-end server reads said converted SSL connection information before reading said data stream.
19. The computer-readable medium as recited in Claim 16, wherein said back-end application server uses said converted SSL connection information to identify said client.
20. The computer-readable medium as recited in Claim 16, wherein said back-end application server uses said converted SSL connection information to authenticate said client.
21. The computer-readable medium as recited in Claim 20, further comprising establishing a secure communication tunnel between said client and said back-end application server after said back-end server has authenticated said client.
22. The computer-readable medium as recited in Claim 21 , wherein further said secure communication tunnel is used for passing secure data between said client and said back-end application server during a duration of said SSL session.
23. The computer-readable medium as recited in Claim 16, wherein said converted SSL connection information includes a certificate subject information from a client certificate that is associated with said client.
24. The computer-readable medium as recited in Claim 16, wherein said converted
SSL connection information includes a cipher-information that is associated with a cipher that is associated with said data stream.
25. The computer-readable medium as recited in Claim 16, wherein said converted SSL connection information includes contents of an entire client certificate information that is associated with said client.
26. The computer-readable medium as recited in Claim 16, wherein said converted SSL connection information includes an SSL protocol version number that is associated with said SSL connection.
27. The computer-readable medium as recited in Claim 16, wherein said converted SSL connection information includes a length information that is associated with a total number of bytes of said converted SSL connection information.
28. The computer-readable medium as recited in Claim 25, wherein said converted SSL connection information includes a sentinel indication to denote an end of said client certificate information.
29. The computer-readable medium as recited in Claim 28, wherein said sentinel indication includes a carriage-return character.
30. The computer-readable medium as recited in Claim 28, wherein said sentinel indication includes a line-feed character.
31. A facility, for sending SSL connection information to a back-end application server, said facility comprising: at least one processing device operable as a proxy server; wherein said SSL connection information is associated with a client and said at least one processing device is adapted for packaging said SSL connection information into a format that is : suitable for pre-pending to a data stream sent by said client and destined for said back-end application server; independent of any underlying application protocol associated with said back-end application server.
32. A computer-implemented method suitable for use by a proxy server securing a back-end application server from an unsecure network, said method useful for establishing a secure communications channel from a client to said back-end application server, said method comprising the acts performed by said proxy server of: intercepting a request initiated by said client to establish a secure client-to-application connection with said application server; establishing a secure client-to-proxy connection with said client, wherein said proxy server acts as a proxy for said back-end application server such that said client-to-proxy connection appears as said client-to-application connection to said client; retrieving secure connection information that is associated with said client; establishing a proxy-to-application connection with said back-end application server, wherein said proxy server acts as a proxy for said client such that said proxy-to- application connection appears as said client-to-application connection to said application server; and wherein said secure client-to-application connection is established by using at least both said secure client-to-proxy connection and said proxy-to-application; converting said secure connection informat on n o a orm sui a e tor attaching to a data stream that is sent by said client and destined for said back-end application server; attaching said converted secure connection information to said data stream to form a modified data stream; and forwarding said modified data stream to said back-end application server.
33. A proxy server suitable for securing a back-end application server from an unsecure network, said back-end application server intended to provide services to clients via said unsecure network, said proxy server comprising: persistent memory storing computer executable instructions for: intercepting a request initiated by said client to establish a secure client-to-application connection with said application server; establishing a secure client-to-proxy connection with said client, wherein said proxy server acts as a proxy for said back-end application server such that said client-to-proxy connection appears as said client-to-application connection to said client; retrieving secure connection information that is associated with said client; establishing a proxy-to-application connection with said back-end application server, wherein said proxy server acts as a proxy for said client such that said proxy-to- application connection appears as said client-to-application connection to said / application server; and wherein said secure client-to-application connection is established by using at least both said secure client-to-proxy connection and said proxy-to-application; converting said secure connection information into a form suitable for attaching to a data stream that is sent by said client and destined for said back-end application server; attaching said converted secure connection information to said data stream to form a modified data stream; and forwarding said modified data stream to said back-end application server.
PCT/US2003/032570 2002-10-15 2003-10-15 Client-side ssl connection completion through secure proxy server WO2004036360A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003284204A AU2003284204A1 (en) 2002-10-15 2003-10-15 Client-side ssl connection completion through secure proxy server

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US41875902P 2002-10-15 2002-10-15
US60/418,759 2002-10-15

Publications (2)

Publication Number Publication Date
WO2004036360A2 true WO2004036360A2 (en) 2004-04-29
WO2004036360A3 WO2004036360A3 (en) 2004-09-10

Family

ID=32107969

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/032570 WO2004036360A2 (en) 2002-10-15 2003-10-15 Client-side ssl connection completion through secure proxy server

Country Status (2)

Country Link
AU (1) AU2003284204A1 (en)
WO (1) WO2004036360A2 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7584505B2 (en) 2001-10-16 2009-09-01 Microsoft Corporation Inspected secure communication protocol
US8700892B2 (en) 2010-03-19 2014-04-15 F5 Networks, Inc. Proxy SSL authentication in split SSL for client-side proxy agent resources with content insertion
US8782393B1 (en) 2006-03-23 2014-07-15 F5 Networks, Inc. Accessing SSL connection data by a third-party
US10237078B2 (en) 2011-07-28 2019-03-19 Cloudflare, Inc. Supporting secure sessions in a cloud-based proxy service
US10785198B2 (en) 2013-03-07 2020-09-22 Cloudflare, Inc. Secure session capability using public-key cryptography without access to the private key
US10903990B1 (en) 2020-03-11 2021-01-26 Cloudflare, Inc. Establishing a cryptographic tunnel between a first tunnel endpoint and a second tunnel endpoint where a private key used during the tunnel establishment is remotely located from the second tunnel endpoint
US11044083B2 (en) 2014-04-08 2021-06-22 Cloudflare, Inc. Secure session capability using public-key cryptography without access to the private key
US11438178B2 (en) 2014-04-08 2022-09-06 Cloudflare, Inc. Secure session capability using public-key cryptography without access to the private key

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030097428A1 (en) * 2001-10-26 2003-05-22 Kambiz Afkhami Internet server appliance platform with flexible integrated suite of server resources and content delivery capabilities supporting continuous data flow demands and bursty demands
US6621505B1 (en) * 1997-09-30 2003-09-16 Journee Software Corp. Dynamic process-based enterprise computing system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6621505B1 (en) * 1997-09-30 2003-09-16 Journee Software Corp. Dynamic process-based enterprise computing system and method
US20030197733A1 (en) * 1997-09-30 2003-10-23 Journee Software Corp Dynamic process-based enterprise computing system and method
US20030097428A1 (en) * 2001-10-26 2003-05-22 Kambiz Afkhami Internet server appliance platform with flexible integrated suite of server resources and content delivery capabilities supporting continuous data flow demands and bursty demands

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7584505B2 (en) 2001-10-16 2009-09-01 Microsoft Corporation Inspected secure communication protocol
US9742806B1 (en) 2006-03-23 2017-08-22 F5 Networks, Inc. Accessing SSL connection data by a third-party
US8782393B1 (en) 2006-03-23 2014-07-15 F5 Networks, Inc. Accessing SSL connection data by a third-party
US9705852B2 (en) 2010-03-19 2017-07-11 F5 Networks, Inc. Proxy SSL authentication in split SSL for client-side proxy agent resources with content insertion
US9166955B2 (en) 2010-03-19 2015-10-20 F5 Networks, Inc. Proxy SSL handoff via mid-stream renegotiation
US9172682B2 (en) 2010-03-19 2015-10-27 F5 Networks, Inc. Local authentication in proxy SSL tunnels using a client-side proxy agent
US9178706B1 (en) 2010-03-19 2015-11-03 F5 Networks, Inc. Proxy SSL authentication in split SSL for client-side proxy agent resources with content insertion
US9210131B2 (en) 2010-03-19 2015-12-08 F5 Networks, Inc. Aggressive rehandshakes on unknown session identifiers for split SSL
US9509663B2 (en) 2010-03-19 2016-11-29 F5 Networks, Inc. Secure distribution of session credentials from client-side to server-side traffic management devices
US9667601B2 (en) 2010-03-19 2017-05-30 F5 Networks, Inc. Proxy SSL handoff via mid-stream renegotiation
US9100370B2 (en) 2010-03-19 2015-08-04 F5 Networks, Inc. Strong SSL proxy authentication with forced SSL renegotiation against a target server
US8700892B2 (en) 2010-03-19 2014-04-15 F5 Networks, Inc. Proxy SSL authentication in split SSL for client-side proxy agent resources with content insertion
US10237078B2 (en) 2011-07-28 2019-03-19 Cloudflare, Inc. Supporting secure sessions in a cloud-based proxy service
US10931465B2 (en) 2011-07-28 2021-02-23 Cloudflare, Inc. Supporting secure sessions in a cloud-based proxy service
US11546175B2 (en) 2011-07-28 2023-01-03 Cloudflare, Inc. Detecting and isolating an attack directed at an IP address associated with a digital certificate bound with multiple domains
US10785198B2 (en) 2013-03-07 2020-09-22 Cloudflare, Inc. Secure session capability using public-key cryptography without access to the private key
US10791099B2 (en) 2013-03-07 2020-09-29 Cloudflare, Inc. Secure session capability using public-key cryptography without access to the private key
US11546309B2 (en) 2013-03-07 2023-01-03 Cloudflare, Inc. Secure session capability using public-key cryptography without access to the private key
US11044083B2 (en) 2014-04-08 2021-06-22 Cloudflare, Inc. Secure session capability using public-key cryptography without access to the private key
US11438178B2 (en) 2014-04-08 2022-09-06 Cloudflare, Inc. Secure session capability using public-key cryptography without access to the private key
US10903990B1 (en) 2020-03-11 2021-01-26 Cloudflare, Inc. Establishing a cryptographic tunnel between a first tunnel endpoint and a second tunnel endpoint where a private key used during the tunnel establishment is remotely located from the second tunnel endpoint
US11677545B2 (en) 2020-03-11 2023-06-13 Cloudflare, Inc. Establishing a cryptographic tunnel between a first tunnel endpoint and a second tunnel endpoint where a private key used during the tunnel establishment is remotely located from the second tunnel endpoint
US11949776B2 (en) 2020-03-11 2024-04-02 Cloudflare, Inc. Establishing a cryptographic tunnel between a first tunnel endpoint and a second tunnel endpoint where a private key used during the tunnel establishment is remotely located from the second tunnel endpoint

Also Published As

Publication number Publication date
WO2004036360A3 (en) 2004-09-10
AU2003284204A1 (en) 2004-05-04
AU2003284204A8 (en) 2004-05-04

Similar Documents

Publication Publication Date Title
Shelby et al. The constrained application protocol (CoAP)
Shelby et al. RFC 7252: The constrained application protocol (CoAP)
US6732269B1 (en) Methods, systems and computer program products for enhanced security identity utilizing an SSL proxy
US8713690B2 (en) Secure data exchange between data processing systems
EP1782324B1 (en) A personal token and a method for controlled authentication
Jungmaier et al. Transport layer security over stream control transmission protocol
US8234699B2 (en) Method and system for establishing the identity of an originator of computer transactions
EP1514394B1 (en) Method, system and devices for transferring accounting information
EP2633667B1 (en) System and method for on the fly protocol conversion in obtaining policy enforcement information
US20090199002A1 (en) Methods and Systems for Shortened Hash Authentication and Implicit Session Key Agreement
US10129214B2 (en) System and method for secure communication between domains
US20070204156A1 (en) Systems and methods for providing access to network resources based upon temporary keys
EP2106089A1 (en) A method and system for authenticating users
US20060090074A1 (en) Encryption communication system
US20040064740A1 (en) System and method for strong access control to a network
US20130291089A1 (en) Data communication method and device and data interaction system based on browser
CN110365741B (en) Connection establishing method and transfer server
US20160219045A1 (en) Method and System for Authenticating a User of a Device
Paterson et al. XEP-0124: bidirectional-streams over synchronous HTTP (BOSH)
US10419212B2 (en) Methods, systems, apparatuses, and devices for securing network communications using multiple security protocols
CN112671771B (en) Data transmission method, device, electronic equipment and medium
WO2004036360A2 (en) Client-side ssl connection completion through secure proxy server
US20100070770A1 (en) Systems and methods, apparatus, and computer readable media for intercepting and modifying hmac signed messages
US20200153945A1 (en) Technique for Transport Protocol Selection and Setup of a Connection Between a Client and a Server
CN106162645B (en) A kind of the quick of Mobile solution reconnects method for authenticating and system

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP