公开(公告)号：US20220232043A1

公开(公告)日：2022-07-21

申请号：US17713678

申请日：2022-04-05

Applicant: Citrix Systems, Inc.

Inventor： Andrew Penner ,  Tushar Kanekar

IPC: H04L9/40

Abstract: Systems and methods for applying an application layer policy to a transport layer security request are provided. A device, intermediary to one or more clients and one or more servers, can receive a transport layer security (TLS) request to establish a TLS connection between a client of the one or more clients and a server of the one or more servers. The TLS request can include an application layer request to a resource of the server. The device can apply an application layer policy to the application layer request of the TLS request. The device can determine, responsive to applying the application layer policy, whether to one of accept or reject at least the application layer request of the TLS request.

公开(公告)号：US11336693B2

公开(公告)日：2022-05-17

申请号：US16203120

申请日：2018-11-28

Applicant: Citrix Systems, Inc.

Inventor： Andrew Penner ,  Tushar Kanekar

IPC: H04L29/06 ,  G06F9/455 ,  H04L67/02 ,  H04L67/141 ,  H04L67/01

Abstract: Systems and methods for applying an application layer policy to a transport layer security request are provided. A device, intermediary to one or more clients and one or more servers, can receive a transport layer security (TLS) request to establish a TLS connection between a client of the one or more clients and a server of the one or more servers. The TLS request can include an application layer request to a resource of the server. The device can apply an application layer policy to the application layer request of the TLS request. The device can determine, responsive to applying the application layer policy, whether to one of accept or reject at least the application layer request of the TLS request.

公开(公告)号：US20200169584A1

公开(公告)日：2020-05-28

申请号：US16203120

申请日：2018-11-28

Applicant: Citrix Systems, Inc.

Inventor： Andrew Penner ,  Tushar Kanekar

IPC: H04L29/06 ,  H04L29/08 ,  G06F9/455

Abstract: Systems and methods for applying an application layer policy to a transport layer security request are provided. A device, intermediary to one or more clients and one or more servers, can receive a transport layer security (TLS) request to establish a TLS connection between a client of the one or more clients and a server of the one or more servers. The TLS request can include an application layer request to a resource of the server. The device can apply an application layer policy to the application layer request of the TLS request. The device can determine, responsive to applying the application layer policy, whether to one of accept or reject at least the application layer request of the TLS request.

公开(公告)号：US09253193B2

公开(公告)日：2016-02-02

申请号：US14049918

申请日：2013-10-09

Applicant: Citrix Systems, Inc.

Inventor： Sivaprasad R. Udupa ,  Tushar Kanekar ,  Tejus Ag

IPC: H04L29/00 ,  H04L29/06

CPC classification number: H04L63/10 ,  H04L63/0272 ,  H04L63/0428 ,  H04L63/0823 ,  H04L63/166 ,  H04L63/20 ,  H04L2463/144

Abstract: Systems and methods are disclosed for an appliance to authenticate access of a client to a protected directory on a server via a connection, such as a secure SSL connection, established by the appliance. A method comprises the steps of: receiving, by an appliance, a first request from a client on a first network to access a server on a second network, the appliance providing the client a virtual private network connection from the first network to the second network; determining, by the appliance, the first request comprises access to a protected directory of the server; associating, by the appliance, an authentication policy with the protected directory, the authentication policy specifying an action to authenticate the client's access to the protected directory; and transmitting, by the appliance in response to the authentication policy, a second request to the client for an authentication certificate. Corresponding systems are also disclosed.

公开(公告)号：US20140108788A1

公开(公告)日：2014-04-17

申请号：US14132303

申请日：2013-12-18

Applicant: Citrix Systems, Inc.

Inventor： Christofer Edstrom ,  Tushar Kanekar

IPC: H04L29/06

CPC classification number: H04L9/3268 ,  H04L63/0823 ,  H04L63/0884 ,  H04L63/166 ,  H04L67/2819 ,  H04L2209/38

Abstract: The present disclosure is directed towards systems and methods for determining a status of a client certificate from a plurality of responses for an Online Certificate Status Protocol (OCSP) request. An intermediary device between a plurality of clients and one or more servers identifies a plurality of OCSP responders for determining a status of a client certificate responsive to receiving the client certificate from a client during a Secure Socket Layer (SSL) handshake. Each of the plurality of OCSP responders may transmit a request for the status of the client certificate to a uniform resource locator corresponding to each OCSP responder. The intermediary device may determine a single status for the client certificate from a plurality of statuses of the client certificate received via responses from each uniform resource locator.

Abstract translation: 本公开涉及用于根据在线证书状态协议（OCSP）请求的多个响应来确定客户端证书的状态的系统和方法。 多个客户端和一个或多个服务器之间的中间设备在安全套接层（SSL）握手期间，响应于从客户端接收到客户端证书，识别多个OCSP应答器，用于确定客户端证书的状态。 多个OCSP应答器中的每一个可以向与每个OCSP响应器对应的统一资源定位符发送客户端证书的状态请求。 中介设备可以根据从每个统一资源定位符的响应接收到的客户端证书的多个状态来确定客户端证书的单一状态。

公开(公告)号：US20140101441A1

公开(公告)日：2014-04-10

申请号：US14100867

申请日：2013-12-09

Applicant: Citrix Systems, Inc.

Inventor： Christofer Edstrom ,  Tushar Kanekar

IPC: H04L9/32

CPC classification number: H04L9/3268 ,  H04L63/0823 ,  H04L63/0884 ,  H04L63/166 ,  H04L67/2833 ,  H04L67/2842 ,  H04L67/2852 ,  H04L2209/38

Abstract: The present invention is directed towards systems and methods for batching OCSP requests and caching corresponding responses. An intermediary between a plurality of clients and one or more servers receives a first client certificate during a first SSL handshake with a first client and a second client certificate during a second SSL handshake with a second client. The intermediary may identify that the statuses of the client certificates are not in a cache of the intermediary. An OCSP responder of the intermediary may transmit a single request to an OCSP server to determine the statuses. The intermediary may determine, from a single response received from the OCSP server, whether to establish SSL connections with the clients based on the statuses. The intermediary may store the statuses to the cache for determining whether to establish a SSL connection in response to receiving a client certificate from the first client.

Abstract translation: 本发明涉及用于批量OCSP请求和缓存相应响应的系统和方法。 在与第二客户端的第二次SSL握手期间，在多个客户端和一个或多个服务器之间的中介在与第一客户端的第一次SSL握手和第二客户端证书期间接收第一客户端证书。 中间人可能会识别客户端证书的状态不在中介缓存中。 中间人的OCSP响应者可以向OCSP服务器发送单个请求以确定状态。 中介可以从OCSP服务器收到的单一响应中确定是否根据状态与客户端建立SSL连接。 响应于从第一客户端接收到客户端证书，中介可以将状态存储到高速缓存以确定是否建立SSL连接。

公开(公告)号：US11019100B2

公开(公告)日：2021-05-25

申请号：US16207423

申请日：2018-12-03

Applicant: Citrix Systems, Inc.

Inventor： Andrew Penner ,  Tushar Kanekar

IPC: H04L29/06 ,  H04L29/08

Abstract: Systems and methods for detecting attacks using a handshake request are provided. A plurality of devices can receive a plurality of handshake requests to establish TLS connections that include a respective application request. At least one of the plurality of handshake requests can include a first application request. The plurality of devices can record each of the respective application requests to a registry of application requests. A first device of the plurality of devices can receive a subsequent handshake request to establish a subsequent TLS connection that includes the first application request. The first device can query, prior to accepting the first application request, the registry for the first application request. The first device can determine whether to accept or reject the first application request responsive to identifying from the query that the first application request has not been or has been recorded in the registry.

公开(公告)号：US20170222984A1

公开(公告)日：2017-08-03

申请号：US15486967

申请日：2017-04-13

Applicant: Citrix Systems, Inc.

Inventor： Tushar Kanekar

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/06 ,  H04L29/08

CPC classification number: H04L63/166 ,  H04L9/3268 ,  H04L9/3271 ,  H04L9/3297 ,  H04L63/0464 ,  H04L63/0471 ,  H04L63/0485 ,  H04L63/0823 ,  H04L63/0876 ,  H04L63/101 ,  H04L67/02 ,  H04L67/1002 ,  H04L67/1027 ,  H04L67/1036 ,  H04L67/146 ,  H04L69/162 ,  H04L2209/043 ,  H04L2209/30 ,  H04L2209/56 ,  H04L2209/60 ,  H04L2209/76 ,  H04L2209/80

Abstract: The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session.

公开(公告)号：US09378381B2

公开(公告)日：2016-06-28

申请号：US14161417

申请日：2014-01-22

Applicant: Citrix Systems, Inc.

Inventor： Ashoke Saha ,  Rajesh Joshi ,  Tushar Kanekar

IPC: H04J3/16 ,  G06F21/60 ,  H04L29/06

CPC classification number: G06F21/602 ,  H04L63/0485 ,  H04L63/166 ,  H04L69/12

Abstract: The present invention is directed towards systems and methods for distributed operation of a plurality of cryptographic cards in a multi-core system. In various embodiments, a plurality of cryptographic cards providing encryption/decryption resources are assigned to a plurality of packet processing engines in operation on a multi-core processing system. One or more cryptographic cards can be configured with a plurality of hardware or software queues. The plurality of queues can be assigned to plural packet processing engines so that the plural packet processing engines share cryptographic services of a cryptographic card having multiple queues. In some embodiments, all cryptographic cards are configured with multiple queues which are assigned to the plurality of packet processing engines configured for encryption operation.

Abstract translation: 本发明涉及用于在多核系统中分布式操作多个加密卡的系统和方法。 在各种实施例中，向多核处理系统运行的多个分组处理引擎分配了提供加密/解密资源的多个密码卡。 一个或多个加密卡可以配置有多个硬件或软件队列。 可以将多个队列分配给多个分组处理引擎，使得多个分组处理引擎共享具有多个队列的加密卡的加密服务。 在一些实施例中，所有加密卡配置有分配给配置用于加密操作的多个分组处理引擎的多个队列。

公开(公告)号：US09077754B2

公开(公告)日：2015-07-07

申请号：US13858011

申请日：2013-04-06

Applicant: Citrix Systems, Inc.

Inventor： Swarupa Gonuguntla ,  Ashoke Saha ,  Tushar Kanekar

IPC: H04L29/06 ,  G06F21/00

CPC classification number: H04L63/168 ,  H04L63/0281

Abstract: This disclosure is directed to systems and methods for handling the processing of a next protocol negotiation extension for a transport layer security (TLS) session. A device, intermediary to a client and a server, may receive a client hello message from the client in a handshake to establish a transport layer security (TLS) session with the server. The client hello message may include a next protocol negotiation extension. The device may include a first TLS processor that is software based and a second TLS processor that is hardware based. The device may determine that the client hello message includes the next protocol negotiation extension. The device may establish, responsive to the determination, the TLS session using the first TLS processor. The device may process, upon establishment of the TLS session using the first TLS processor, encrypted data for the TLS session using the second TLS processor.

Abstract translation: 本公开涉及用于处理传输层安全（TLS）会话的下一个协议协商扩展的处理的系统和方法。 客户机和服务器的中间设备可以在握手中从客户端接收客户端请求消息，以建立与服务器的传输层安全（TLS）会话。 客户端hello消息可以包括下一个协议协商扩展。 该设备可以包括基于软件的第一TLS处理器和基于硬件的第二TLS处理器。 设备可以确定客户端hello消息包括下一个协议协商扩展。 响应于确定，设备可以使用第一TLS处理器来建立TLS会话。 在使用第一TLS处理器建立TLS会话时，设备可以处理使用第二TLS处理器的TLS会话的加密数据。