公开(公告)号：US20140304499A1

公开(公告)日：2014-10-09

申请号：US14245528

申请日：2014-04-04

Applicant: Citrix Systems, Inc.

Inventor： Sikha Gopinath ,  Ashoke Saha ,  Tushar Kanekar

IPC: H04L29/06

CPC classification number: H04L63/168 ,  H04L63/166 ,  H04L67/1002 ,  H04L67/14 ,  H04L69/30

Abstract: The present invention is directed towards systems and methods for managing one or more SSL sessions. A first node from a cluster of nodes intermediary between a client and a server may receive a first request from the client to use a first session established with the server. The first request may include a session identifier of the first session. The first node may determine that the first session is not identified in a cache of the first node. The first node may identify, via a hash table responsive to the determination, an owner node of the first session from the cluster using a key. The key may be determined based on the session identifier. The first node may send a second request to the identified owner node for session data of the first session. The session data may be for establishing a second session with the server.

Abstract translation: 本发明涉及用于管理一个或多个SSL会话的系统和方法。 来自客户端和服务器之间的中继节点的第一节点可以从客户端接收使用与服务器建立的第一会话的第一请求。 第一请求可以包括第一会话的会话标识符。 第一节点可以确定在第一节点的高速缓存中没有识别出第一会话。 第一节点可以经由响应于确定的散列表，使用密钥从集群中识别第一会话的所有者节点。 密钥可以基于会话标识符来确定。 第一节点可以向所识别的所有者节点发送第二请求以用于第一会话的会话数据。 会话数据可以用于与服务器建立第二会话。

公开(公告)号：US20140304498A1

公开(公告)日：2014-10-09

申请号：US13858011

申请日：2013-04-06

Applicant: CITRIX SYSTEMS, INC.

Inventor： Swarupa Gonuguntla ,  Ashoke Saha ,  Tushar Kanekar

IPC: H04L29/06

CPC classification number: H04L63/168 ,  H04L63/0281

Abstract: This disclosure is directed to systems and methods for handling the processing of a next protocol negotiation extension for a transport layer security (TLS) session. A device, intermediary to a client and a server, may receive a client hello message from the client in a handshake to establish a transport layer security (TLS) session with the server. The client hello message may include a next protocol negotiation extension. The device may include a first TLS processor that is software based and a second TLS processor that is hardware based. The device may determine that the client hello message includes the next protocol negotiation extension. The device may establish, responsive to the determination, the TLS session using the first TLS processor. The device may process, upon establishment of the TLS session using the first TLS processor, encrypted data for the TLS session using the second TLS processor.

Abstract translation: 本公开涉及用于处理传输层安全（TLS）会话的下一个协议协商扩展的处理的系统和方法。 客户机和服务器的中间设备可以在握手中从客户端接收客户端请求消息，以建立与服务器的传输层安全（TLS）会话。 客户端hello消息可以包括下一个协议协商扩展。 该设备可以包括基于软件的第一TLS处理器和基于硬件的第二TLS处理器。 设备可以确定客户端hello消息包括下一个协议协商扩展。 响应于确定，设备可以使用第一TLS处理器来建立TLS会话。 在使用第一TLS处理器建立TLS会话时，设备可以处理使用第二TLS处理器的TLS会话的加密数据。

公开(公告)号：US09378381B2

公开(公告)日：2016-06-28

申请号：US14161417

申请日：2014-01-22

Applicant: Citrix Systems, Inc.

Inventor： Ashoke Saha ,  Rajesh Joshi ,  Tushar Kanekar

IPC: H04J3/16 ,  G06F21/60 ,  H04L29/06

CPC classification number: G06F21/602 ,  H04L63/0485 ,  H04L63/166 ,  H04L69/12

Abstract: The present invention is directed towards systems and methods for distributed operation of a plurality of cryptographic cards in a multi-core system. In various embodiments, a plurality of cryptographic cards providing encryption/decryption resources are assigned to a plurality of packet processing engines in operation on a multi-core processing system. One or more cryptographic cards can be configured with a plurality of hardware or software queues. The plurality of queues can be assigned to plural packet processing engines so that the plural packet processing engines share cryptographic services of a cryptographic card having multiple queues. In some embodiments, all cryptographic cards are configured with multiple queues which are assigned to the plurality of packet processing engines configured for encryption operation.

Abstract translation: 本发明涉及用于在多核系统中分布式操作多个加密卡的系统和方法。 在各种实施例中，向多核处理系统运行的多个分组处理引擎分配了提供加密/解密资源的多个密码卡。 一个或多个加密卡可以配置有多个硬件或软件队列。 可以将多个队列分配给多个分组处理引擎，使得多个分组处理引擎共享具有多个队列的加密卡的加密服务。 在一些实施例中，所有加密卡配置有分配给配置用于加密操作的多个分组处理引擎的多个队列。

公开(公告)号：US09077754B2

公开(公告)日：2015-07-07

申请号：US13858011

申请日：2013-04-06

Applicant: Citrix Systems, Inc.

Inventor： Swarupa Gonuguntla ,  Ashoke Saha ,  Tushar Kanekar

IPC: H04L29/06 ,  G06F21/00

CPC classification number: H04L63/168 ,  H04L63/0281

Abstract: This disclosure is directed to systems and methods for handling the processing of a next protocol negotiation extension for a transport layer security (TLS) session. A device, intermediary to a client and a server, may receive a client hello message from the client in a handshake to establish a transport layer security (TLS) session with the server. The client hello message may include a next protocol negotiation extension. The device may include a first TLS processor that is software based and a second TLS processor that is hardware based. The device may determine that the client hello message includes the next protocol negotiation extension. The device may establish, responsive to the determination, the TLS session using the first TLS processor. The device may process, upon establishment of the TLS session using the first TLS processor, encrypted data for the TLS session using the second TLS processor.

Abstract translation: 本公开涉及用于处理传输层安全（TLS）会话的下一个协议协商扩展的处理的系统和方法。 客户机和服务器的中间设备可以在握手中从客户端接收客户端请求消息，以建立与服务器的传输层安全（TLS）会话。 客户端hello消息可以包括下一个协议协商扩展。 该设备可以包括基于软件的第一TLS处理器和基于硬件的第二TLS处理器。 设备可以确定客户端hello消息包括下一个协议协商扩展。 响应于确定，设备可以使用第一TLS处理器来建立TLS会话。 在使用第一TLS处理器建立TLS会话时，设备可以处理使用第二TLS处理器的TLS会话的加密数据。

公开(公告)号：US20220357988A1

公开(公告)日：2022-11-10

申请号：US17246217

申请日：2021-04-30

Applicant: CITRIX SYSTEMS, INC.

Inventor： Swarupa Gonuguntla ,  Ashoke Saha

IPC: G06F9/50

Abstract: A method may include determining a first weight for a first type of operation and a second weight for a second type of operation. The first weight may correspond to a first quantity of the first type of operation a hardware resource is capable of performing during a time interval. The second weight may correspond to a second quantity of the second type of operation the hardware resource is capable of performing during the time interval. Utilization of the hardware resource may correspond to a weighted sum of the respective quantities of the first type of operation and the second type of operation offloaded to the hardware resource. Allocation of hardware resources may be adjusted based on utilization. Related systems and articles of manufacture are also provided.

公开(公告)号：US09769205B2

公开(公告)日：2017-09-19

申请号：US14245528

申请日：2014-04-04

Applicant: Citrix Systems, Inc.

Inventor： Sikha Gopinath ,  Ashoke Saha ,  Tushar Kanekar

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/168 ,  H04L63/166 ,  H04L67/1002 ,  H04L67/14 ,  H04L69/30

Abstract: The present invention is directed towards systems and methods for managing one or more SSL sessions. A first node from a cluster of nodes intermediary between a client and a server may receive a first request from the client to use a first session established with the server. The first request may include a session identifier of the first session. The first node may determine that the first session is not identified in a cache of the first node. The first node may identify, via a hash table responsive to the determination, an owner node of the first session from the cluster using a key. The key may be determined based on the session identifier. The first node may send a second request to the identified owner node for session data of the first session. The session data may be for establishing a second session with the server.

公开(公告)号：US20140181531A1

公开(公告)日：2014-06-26

申请号：US14161417

申请日：2014-01-22

Applicant: Citrix Systems, Inc.

Inventor： Ashoke Saha ,  Rajesh Joshi ,  Tushar Kanekar

IPC: G06F21/60

CPC classification number: G06F21/602 ,  H04L63/0485 ,  H04L63/166 ,  H04L69/12

Abstract: The present invention is directed towards systems and methods for distributed operation of a plurality of cryptographic cards in a multi-core system. In various embodiments, a plurality of cryptographic cards providing encryption/decryption resources are assigned to a plurality of packet processing engines in operation on a multi-core processing system. One or more cryptographic cards can be configured with a plurality of hardware or software queues. The plurality of queues can be assigned to plural packet processing engines so that the plural packet processing engines share cryptographic services of a cryptographic card having multiple queues. In some embodiments, all cryptographic cards are configured with multiple queues which are assigned to the plurality of packet processing engines configured for encryption operation.

Abstract translation: 本发明涉及用于在多核系统中分布式操作多个加密卡的系统和方法。 在各种实施例中，向多核处理系统运行的多个分组处理引擎分配了提供加密/解密资源的多个密码卡。 一个或多个加密卡可以配置有多个硬件或软件队列。 可以将多个队列分配给多个分组处理引擎，使得多个分组处理引擎共享具有多个队列的加密卡的加密服务。 在一些实施例中，所有加密卡配置有分配给配置用于加密操作的多个分组处理引擎的多个队列。