US2018278580A1PendingUtilityA1
Dynamic bypass of tls connections matching exclusion list in dpi-ssl in a nat deployment
Est. expiryJan 27, 2035(~8.5 yrs left)· nominal 20-yr term from priority
H04L 67/141H04L 67/125H04L 63/101H04L 63/166H04L 67/42H04L 69/16H04L 63/02H04L 63/029H04L 63/0823H04L 67/01
50
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
The present invention provides the initiation of a transport layer security (TLS) session between a client device and a server using a firewall without interruption. The present invention holds a TLS hello message received from the client device until after the server has been validated. A firewall consistent with the present invention does not interrupt a transport layer control (TCP) connection that was established between the client device and the firewall before the TLS hello message was received by the firewall.
Claims
exact text as granted — not AI-modified1 . A method for establishing a transport layer security (TLS) session, the method comprising:
receiving at a firewall a client initiated TLS hello message, the client initiated TLS hello message transmitted from a client device; holding the client initiated TLS hello message at the firewall until the server has been validated; transmitting a modified TLS hello message from the firewall to the server, wherein the modified TLS hello message transmitted from the firewall to the server is not identical to the client initiated TLS hello message; validating the server; transmitting the client initiated TLS hello message to the server; and transparently passing subsequent TCP messages transmitted between the client and the server without requiring the client device to re-initiate a TLS session with the server based at least in part on the client initiated TLS hello message being held at the firewall.
2 . The method of claim 1 , wherein the messages received from the client device do not provide an internet protocol (IP) address of the firewall, and the client initiated hello message does not include at least one of a domain name service (DNS) hostname, a common name associated with the server, and a domain name.
3 . The method of claim 1 , wherein the firewall:
inspects the client initiated TLS client hello message by a deep packet inspection secure socket layer (DPI-SSL) parser; receives a TLS server certificate message from the server; and inspects the received TLS server certificate message by the DPI-SSL parser when validating the server.
4 . The method of claim 1 , wherein prior to the transmission of the modified TLS hello message to the server, the firewall:
resets a first TCP connection between the firewall and the server, wherein the resetting of the first TCP connection terminates the first TCP connection between the firewall and the server; transmits a TCP synchronization message to the server; receives a TCP synchronization acknowledgement from the server; and transmits a second TCP acknowledgement to the server, wherein the transmitting of the second TCP acknowledgement message to the server establishes a second TCP connection between the firewall and the server.
5 . The method of claim 1 , wherein the information compared when validating the server is at least one of a domain name service (DNS) hostname, a common name, or a domain name.
6 . The method of claim 1 , further comprising classifying the TLS session between the client device and the server to bypass inspection before the TCP messages between the client device and the server are transparently passed between the client device and the server.
7 . The method of claim 1 , wherein communications between the firewall and the server are communicated over a TCP port of the firewall and a TCP port of the server on an outbound interface of the firewall according to an network address translation (NAT) mapping that abstracts the real IP address of the client from the server.
8 . The method of claim 1 , wherein:
a first TCP port of the firewall and a TCP port of the server are stored in a first association that binds the first TCP port of the firewall and the TCP port of the server with a first TCP connection between the firewall and the server, the first association stored in the firewall is deleted when the first TCP connection is terminated, and a second TCP port of the firewall and the TCP port of the server are stored in a second association that binds the second TCP port of the firewall and the TCP port of the server with the second TCP connection between the firewall and the server.
9 . The method of claim 5 , further comprising:
receiving a subsequent TLS client hello message after the TLS session has been interrupted, the subsequent TLS client hello message received from at least one of the client device and another client device, and the subsequent TLS client hello message including the at least one of the DNS hostname, the common name, or the domain name and an IP address of the server; identifying that the at least one of the DNS hostname, the common name, or the domain name is listed in the at least one of a dynamic exclusion list or a user defined exclusion list, wherein the identification re-initiates the TLS session; and transparently passing TCP messages transmitted between the at least one of the client device and the another client device and the server after identifying that the common name is listed in the at least one of the dynamic exclusion list and the user defined exclusion list.
10 . The method of claim 1 , further comprising:
receiving a subsequent TLS client hello message after the TLS session has been interrupted from at least one of the client device and another client device, the subsequent TLS client hello message including a common name and an IP address of a second server; identifying that the common name is listed in the at least one of a dynamic exclusion list and a user defined exclusion list, wherein the identification allows the TLS session to be re-initiated; and transparently passing TCP messages transmitted between the at least one of the client device and the another client device and the server after identifying that the common name is listed in the at least one of dynamic exclusion list or the user defined exclusion list.
11 . The method of claim 5 , further comprising:
receiving a subsequent TLS client hello message on a subsequent new TCP connection between at least one of the client device or another client device and the server, the subsequent TLS client hello message including the at least one of the domain name service (DNS) hostname, the common name, or the domain name; holding the subsequent TLS hello message at the firewall until a server addressed in the subsequent TLS hello message has been validated, wherein validation of the server includes:
transmitting another TLS hello message from the firewall to the server;
comparing information in a certificate received from the server with information stored at the firewall;
transmitting the subsequent TLS hello message to the server, wherein transmitting the subsequent TLS hello message initiates a TLS session without interrupting a transmission control protocol (TCP) connection between the client device and the firewall; and
transparently passing subsequent TCP messages transmitted between the client device or the another client device and the server after validating the server.
12 . A non-transitory computer readable storage medium having embodied thereon a program executable by a processor for implementing a method for establishing a transport layer security (TLS) session, the method comprising:
receiving at a firewall a client initiated TLS hello message, the client initiated TLS hello message transmitted from a client device; holding the client initiated TLS hello message at the firewall until the server has been validated; transmitting a modified TLS hello message to the server, wherein the modified TLS hello message transmitted to the server is not identical to the client initiated TLS hello message; validating the server; transmitting the client initiated TLS hello message to the server; and transparently passing subsequent TCP messages transmitted between the client and the server without requiring the client device to re-initiate a TLS session with the server based at least in part on the client initiated TLS hello message being held.
13 . The non-transitory computer readable storage medium of claim 13 , wherein the messages received from the client device do not provide an internet protocol (IP) address of a firewall, and the client initiated hello message does not include at least one of a domain name service (DNS) hostname, a common name associated with the server, and a domain name.
14 . The method of claim 12 , wherein the processor:
inspects the client initiated TLS client hello message by a deep packet inspection secure socket layer (DPI-SSL) parser; receives a TLS server certificate message from the server; and inspects the received TLS server certificate message by the DPI-SSL parser when validating the server.
15 . The non-transitory computer readable storage medium of claim 12 , wherein prior to the transmission of the modified TLS hello message to the server, the processor:
resets a first TCP connection with the server, wherein the resetting of the first TCP connection terminates the first TCP connection with the server, transmits a TCP synchronization message to the server, receives a TCP synchronization acknowledgement from the server, and transmits a second TCP acknowledgement to the server, wherein the transmitting of the second TCP acknowledgement message to the server establishes a second TCP connection with the server.
16 . The non-transitory computer readable storage medium of claim 12 , the program further executable to classify the TLS session between the client device and the server to bypass inspection before the TCP messages between the client device and the server are transparently passed between the client device and the server.
17 . An apparatus for establishing a transport layer security (TLS) session, the apparatus comprising:
one or more computer network interfaces, wherein the one or more computer network interfaces receives a client initiated TLS hello message, the client initiated TLS hello message transmitted from a client device; a memory; and a processor, wherein the processor executing instructions out of the memory holds the client initiated TLS hello message, wherein:
a modified TLS hello message is transmitted to the server, the modified TLS hello message transmitted to the server is not identical to the client initiated TLS hello message transmitted from the client device,
the processor validates the server, transmitting the client initiated TLS hello message to the server, and transparently passing subsequent TCP messages transmitted between the client and the server without requiring the client device to re-initiate a TLS session with the server based at least in part on the first TLS hello message being held by the processor.
18 . The apparatus of claim 17 , wherein the messages received from the client device do not provide an internet protocol (IP) address of the firewall, and the first client initiated hello message does not include at least one of a domain name service (DNS) hostname, a common name associated with the server, and a domain name.
19 . The apparatus of claim 1 , wherein the processor executing instructions out of the memory:
inspects the first client initiated TLS client hello message by a deep packet inspection secure socket layer (DPI-SSL) parser, receives a TLS server certificate message from the server via the one or more network interfaces, and inspects the received TLS server certificate message by the DPI-SSL parser when validating the server.
20 . The apparatus of claim 1 , wherein prior to the transmission to the server, the processor resets a first TCP connection with the server, wherein:
the resetting of the first TCP connection terminates the first TCP connection with the server, a TCP synchronization message is transmitted to the server, a TCP synchronization acknowledgement is received from the server, a second TCP acknowledgement is transmitted to the server, and the transmitting of the second TCP acknowledgement message to the server establishes a second TCP connection with the server.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.