公开(公告)号：US20140041010A1

公开(公告)日：2014-02-06

申请号：US14049918

申请日：2013-10-09

Applicant: Citrix Systems, Inc.

Inventor： Sivaprasad R. Udupa ,  Tushar Kanekar ,  Tejus AG

IPC: H04L29/06

CPC classification number: H04L63/10 ,  H04L63/0272 ,  H04L63/0428 ,  H04L63/0823 ,  H04L63/166 ,  H04L63/20 ,  H04L2463/144

Abstract: Systems and methods are disclosed for an appliance to authenticate access of a client to a protected directory on a server via a connection, such as a secure SSL connection, established by the appliance. A method comprises the steps of: receiving, by an appliance, a first request from a client on a first network to access a server on a second network, the appliance providing the client a virtual private network connection from the first network to the second network; determining, by the appliance, the first request comprises access to a protected directory of the server; associating, by the appliance, an authentication policy with the protected directory, the authentication policy specifying an action to authenticate the client's access to the protected directory; and transmitting, by the appliance in response to the authentication policy, a second request to the client for an authentication certificate. Corresponding systems are also disclosed.

Abstract translation: 公开了一种用于设备通过设备建立的连接（例如安全SSL连接）来认证客户端访问服务器上受保护目录的系统和方法。 一种方法包括以下步骤：由设备接收来自第一网络上的客户端的第一请求以访问第二网络上的服务器，所述设备向客户端提供从第一网络到第二网络的虚拟专用网络连接 ; 由设备确定第一请求包括访问服务器的受保护目录; 该设备将认证策略与受保护目录相关联，认证策略指定用于认证客户端对受保护目录的访问的动作; 以及响应于所述认证策略，所述设备向所述客户端发送用于认证证书的第二请求。 还公开了相应的系统。

公开(公告)号：US12192237B2

公开(公告)日：2025-01-07

申请号：US17236233

申请日：2021-04-21

Applicant: Citrix Systems, Inc.

Inventor： Andrew Penner ,  Tushar Kanekar

IPC: H04L9/40 ,  H04L67/63

Abstract: Systems and methods for detecting attacks using a handshake request are provided. A plurality of devices can receive a plurality of handshake requests to establish TLS connections that include a respective application request. At least one of the plurality of handshake requests can include a first application request. The plurality of devices can record each of the respective application requests to a registry of application requests. A first device of the plurality of devices can receive a subsequent handshake request to establish a subsequent TLS connection that includes the first application request. The first device can query, prior to accepting the first application request, the registry for the first application request. The first device can determine whether to accept or reject the first application request responsive to identifying from the query that the first application request has not been or has been recorded in the registry.

公开(公告)号：US20200177630A1

公开(公告)日：2020-06-04

申请号：US16207423

申请日：2018-12-03

Applicant: Citrix Systems, Inc.

Inventor： Andrew Penner ,  Tushar Kanekar

IPC: H04L29/06 ,  H04L29/08

Abstract: Systems and methods for detecting attacks using a handshake request are provided. A plurality of devices can receive a plurality of handshake requests to establish TLS connections that include a respective application request. At least one of the plurality of handshake requests can include a first application request. The plurality of devices can record each of the respective application requests to a registry of application requests. A first device of the plurality of devices can receive a subsequent handshake request to establish a subsequent TLS connection that includes the first application request. The first device can query, prior to accepting the first application request, the registry for the first application request. The first device can determine whether to accept or reject the first application request responsive to identifying from the query that the first application request has not been or has been recorded in the registry.

公开(公告)号：US20180103018A1

公开(公告)日：2018-04-12

申请号：US15289472

申请日：2016-10-10

Applicant: Citrix Systems, Inc.

Inventor： Abhishek Chauhan ,  Tushar Kanekar ,  Ritesh Patani ,  Robert Kidd ,  Sergey Golubev ,  Harpreet Singh

IPC: H04L29/06 ,  G06F21/60

CPC classification number: F16K37/0091 ,  F15B5/006 ,  F15B19/005 ,  F15B20/00 ,  F15B20/008 ,  F15B2211/6306 ,  F15B2211/6313 ,  F15B2211/6658 ,  F15B2211/857 ,  F15B2211/8613 ,  F15B2211/8636 ,  F15B2211/8755 ,  G06F21/602 ,  H04L63/0281 ,  H04L63/0471 ,  H04L63/0485 ,  H04L63/166 ,  H04L63/168 ,  H04L2209/12

Abstract: The present disclosure is directed towards systems and methods for executing cryptographic operations across different types of processing hardware. An intermediary device may identify a cryptographic function to be performed at the device, according to a message from a client or a server. The device may identify a sequence of cryptographic operations to be executed for performing the cryptographic function. The device may determine subsets of the cryptographic operations to be executed on across different types of processing hardware. The different types of processing hardware may reside on the device. Each of the types of processing hardware may execute, responsive to the determination, the respective subset of the cryptographic operations, according to the sequence of the cryptographic operations.

公开(公告)号：US09426220B2

公开(公告)日：2016-08-23

申请号：US14244949

申请日：2014-04-04

Applicant: Citrix Systems, Inc.

Inventor： Abhishek Chauhan ,  Sandhya Gopinath ,  Sandeep Kamath ,  Mahesh Arumugam ,  Tushar Kanekar

IPC: G06F15/167 ,  H04L29/08

CPC classification number: H04L67/1097 ,  H04L67/1095

Abstract: The present application is directed towards using a distributed hash table to track the use of resources and/or maintain the persistency of resources across the plurality of nodes in the multi-node system. More specifically, the systems and methods can maintain the persistency of resources across the plurality of nodes by the use of a global table. A global table may be maintained on each node. Each node's global table enables efficient storage and retrieval of distributed hash table entries. Each global table may contain a linked list of the cached distributed hash table entries that are currently stored on a node.

Abstract translation: 本申请涉及使用分布式哈希表来跟踪资源的使用和/或维护多节点系统中的多个节点之间的资源的持续性。 更具体地，系统和方法可以通过使用全局表来维护跨越多个节点的资源的持久性。 可以在每个节点上维护全局表。 每个节点的全局表可以有效地存储和检索分布式哈希表项。 每个全局表可以包含当前存储在节点上的高速缓存的分布式散列表条目的链接列表。

公开(公告)号：US09276957B2

公开(公告)日：2016-03-01

申请号：US14075460

申请日：2013-11-08

Applicant: Citrix Systems, Inc.

Inventor： Tushar Kanekar

IPC: H04L29/06 ,  H04L29/08 ,  H04L9/32

CPC classification number: H04L63/166 ,  H04L9/3268 ,  H04L9/3271 ,  H04L9/3297 ,  H04L63/0471 ,  H04L63/0485 ,  H04L63/0823 ,  H04L63/0876 ,  H04L67/1027 ,  H04L67/1036 ,  H04L2209/043 ,  H04L2209/30 ,  H04L2209/56 ,  H04L2209/60 ,  H04L2209/76 ,  H04L2209/80

Abstract: The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session.

公开(公告)号：US09172545B2

公开(公告)日：2015-10-27

申请号：US14132303

申请日：2013-12-18

Applicant: Citrix Systems, Inc.

Inventor： Christofer Edstrom ,  Tushar Kanekar

IPC: H04L29/06 ,  H04L9/32 ,  H04L29/08

CPC classification number: H04L9/3268 ,  H04L63/0823 ,  H04L63/0884 ,  H04L63/166 ,  H04L67/2819 ,  H04L2209/38

Abstract: The present disclosure is directed towards systems and methods for determining a status of a client certificate from a plurality of responses for an Online Certificate Status Protocol (OCSP) request. An intermediary device between a plurality of clients and one or more servers identifies a plurality of OCSP responders for determining a status of a client certificate responsive to receiving the client certificate from a client during a Secure Socket Layer (SSL) handshake. Each of the plurality of OCSP responders may transmit a request for the status of the client certificate to a uniform resource locator corresponding to each OCSP responder. The intermediary device may determine a single status for the client certificate from a plurality of statuses of the client certificate received via responses from each uniform resource locator.

Abstract translation: 本公开涉及用于根据在线证书状态协议（OCSP）请求的多个响应来确定客户端证书的状态的系统和方法。 多个客户端和一个或多个服务器之间的中间设备在安全套接层（SSL）握手期间，响应于从客户端接收到客户端证书，识别多个OCSP应答器，用于确定客户端证书的状态。 多个OCSP应答器中的每一个可以向与每个OCSP响应器对应的统一资源定位符发送客户端证书的状态请求。 中介设备可以根据从每个统一资源定位符的响应接收到的客户端证书的多个状态来确定客户端证书的单一状态。

公开(公告)号：US20140068245A1

公开(公告)日：2014-03-06

申请号：US14075460

申请日：2013-11-08

Applicant: Citrix Systems, Inc.

Inventor： Tushar Kanekar

IPC: H04L29/06

CPC classification number: H04L63/166 ,  H04L9/3268 ,  H04L9/3271 ,  H04L9/3297 ,  H04L63/0471 ,  H04L63/0485 ,  H04L63/0823 ,  H04L63/0876 ,  H04L67/1027 ,  H04L67/1036 ,  H04L2209/043 ,  H04L2209/30 ,  H04L2209/56 ,  H04L2209/60 ,  H04L2209/76 ,  H04L2209/80

Abstract: The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session.

Abstract translation: 本发明涉及用于在多核系统中管理SSL会话持久性和重用的系统和方法。 第一核心可以指示由第一核心建立的SSL会话是不可恢复的。 响应于指示，核心可以在由多核系统的每个核心访问的存储器中的位置处设置指示符，该指示符指示SSL会话不可恢复。 多核系统的第二核心可以接收重新使用SSL会话的请求。 请求可以包括SSL会话的会话标识符。 此外，会话标识符可以将第一核心识别为SSL会话的建立者。 第二核心可以从会话标识符的编码中识别第二核心是否不是SSL会话的建立者。 响应于识别，第二个核心可能决定是否恢复SSL会话。

公开(公告)号：US11792232B2

公开(公告)日：2023-10-17

申请号：US17713678

申请日：2022-04-05

Applicant: Citrix Systems, Inc.

Inventor： Andrew Penner ,  Tushar Kanekar

IPC: H04L29/06 ,  H04L9/40 ,  G06F9/455 ,  H04L67/02 ,  H04L67/141 ,  H04L67/01

CPC classification number: H04L63/20 ,  H04L63/166 ,  H04L63/168 ,  G06F9/45533 ,  H04L67/01 ,  H04L67/02 ,  H04L67/141

Abstract: Systems and methods for applying an application layer policy to a transport layer security request are provided. A device, intermediary to one or more clients and one or more servers, can receive a transport layer security (TLS) request to establish a TLS connection between a client of the one or more clients and a server of the one or more servers. The TLS request can include an application layer request to a resource of the server. The device can apply an application layer policy to the application layer request of the TLS request. The device can determine, responsive to applying the application layer policy, whether to one of accept or reject at least the application layer request of the TLS request.

公开(公告)号：US20210243227A1

公开(公告)日：2021-08-05

申请号：US17236233

申请日：2021-04-21

Applicant: Citrix Systems, Inc.

Inventor： Andrew Penner ,  Tushar Kanekar

IPC: H04L29/06 ,  H04L29/08

Abstract: Systems and methods for detecting attacks using a handshake request are provided. A plurality of devices can receive a plurality of handshake requests to establish TLS connections that include a respective application request. At least one of the plurality of handshake requests can include a first application request. The plurality of devices can record each of the respective application requests to a registry of application requests. A first device of the plurality of devices can receive a subsequent handshake request to establish a subsequent TLS connection that includes the first application request. The first device can query, prior to accepting the first application request, the registry for the first application request. The first device can determine whether to accept or reject the first application request responsive to identifying from the query that the first application request has not been or has been recorded in the registry.