Systems and methods for flash crowd control and batching OCSP requests via online certificate status protocol

摘要

The present invention is directed towards systems and methods for batching OCSP requests and caching corresponding responses. An intermediary between a plurality of clients and one or more servers receives a first client certificate during a first SSL handshake with a first client and a second client certificate during a second SSL handshake with a second client. The intermediary may identify that the statuses of the client certificates are not in a cache of the intermediary. An OCSP responder of the intermediary may transmit a single request to an OCSP server to determine the statuses. The intermediary may determine, from a single response received from the OCSP server, whether to establish SSL connections with the clients based on the statuses. The intermediary may store the statuses to the cache for determining whether to establish a SSL connection in response to receiving a client certificate from the first client.

主权项

1. A method comprising:
(a) receiving, by a device intermediary between a plurality of clients and one or more servers, while waiting a predetermined time period, a plurality of client certificates of the plurality of clients for a plurality of Secure Socket Layer (SSL) handshakes, each of the plurality of SSL handshakes between the device and a corresponding client of the plurality of clients, the plurality of clients communicating with the one or more servers via the device; (b) determining, by the device, that the received plurality of client certificates corresponds to a single certificate authority; (c) transmitting, by the device responsive to expiration of the predetermined time period and to the determination that the received plurality of client certificates corresponds to the single certificate authority, and while portions of each of the plurality of SSL handshakes are outstanding, a single request for the plurality of SSL handshakes to an Online Certificate Status Protocol (OCSP) responder to determine the status of each of the plurality of client certificates; (d) identifying, by the device, the status of each of the plurality of client certificates from a response received from the OCSP responder; and (e) determining, by the device responsive to the status, whether to establish a SSL connection for each of the SSL handshakes of the plurality of SSL handshakes.