| 主权项 |
1. A method in a security gateway for protecting one or more server applications from transport layer security implementation vulnerabilities, wherein the security gateway is communicatively coupled between a plurality of client end stations and the one or more server applications to communicate application layer data between them, and wherein the security gateway is configured to communicate the application layer data with the plurality of client end stations through network connections that terminate at the security gateway, the method comprising:
selecting, at the security gateway while a plurality of transport layer security implementations (TLSIs) within the security gateway are enabled, different ones of the plurality of TLSIs to be utilized for different ones of new network connections being established between the plurality of client end stations and the security gateway, wherein each of the new network connections is being established between one of the plurality of client end stations and the security gateway for the purpose of communicating application layer data between that client end station and one of the server applications; receiving, at the security gateway, a first TLSI control message indicating that a first TLSI of the plurality of TLSIs is to be disabled and thus no longer be eligible to be selected to be utilized for new network connections, leaving a set of one or more others of the plurality of TLSIs still enabled, wherein the first TLSI has a vulnerability not shared by the set of one or more others of the plurality of TLSIs due to their different implementations; and selecting, at the security gateway, for each new network connection being established between one of the plurality of client end stations and the security gateway while the first TLSI is disabled, one of the TLSIs from the set of the TLSIs that are still enabled to be utilized for the new network connection. |
