Transport layer security traffic control using service name identification

摘要

Traffic control techniques are provided for intercepting an initial message in a handshaking procedure for a secure communication between a first device and a second device at a proxy device. Identification information associated with the second device is extracted from the initial message. A policy is applied to communications between the first device and second device based on the identification information.

主权项

1. A method of establishing a connection across a network, comprising:
intercepting at a proxy device a partially encrypted initial message of a handshaking procedure for a secure encrypted communication session between a first device and a second device, wherein the initial message is a ClientHello message of a Transport Layer Security (TLS) handshaking procedure that includes identification information associated with the second device, wherein the identification information comprises a plurality of parameters including host names, categories of hosts, reputations of hosts, and application types, and wherein each parameter has assigned a weight; extracting from the initial message the identification information associated with the second device; comparing the plurality of parameters with a plurality of databases to generate comparison results; balancing the comparison results based on the assigned weights to the parameters to determine a policy; and applying the policy to communications between the first device and the second device based on the identification information, wherein extracting the identification information comprises extracting a server name indication extension in the initial message without decrypting the initial message, and wherein the service name indication extension indicates a host name of the second device.