Splicing into an active TLS session without a certificate or private key

摘要

An origin server selectively enables an intermediary (e.g., an edge server) to shunt into and out of an active TLS session that is on-going between a client and the origin server. The technique allows for selective pieces of a data stream to be delegated from an origin to the edge server for the transmission (by the edge server) of authentic cached content, but without the edge server having the ability to obtain control of the entire stream or to decrypt arbitrary data after that point. The technique enables an origin to authorize the edge server to inject cached data at certain points in a TLS session, as well as to mathematically and cryptographically revoke any further access to the stream until the origin deems appropriate.

主权项

1. Apparatus operating as an intermediary between a first computing entity and a second computing entity, the first computing entity and the second computing entity having established between them an active Transport Layer Security (TLS) session for transport of encrypted requests from the first computing entity, and encrypted responses from the second computing entity, the apparatus comprising:
a processor; computer memory holding computer program instructions executed by the processor to:
receive from the second computing entity a TLS key for the active TLS session;use the TLS key during the active TLS session to access and decrypt one or more TLS records associated with one of: the encrypted requests from the first computing entity, and the encrypted responses from the second computing entity, thereby enabling visibility into one of: data within the encrypted requests, and data within the encrypted responses; andreceive an indication generated in association with a renegotiation of the active TLS session, the renegotiation revoking decryption access to the TLS records and the visibility into the data within the encrypted requests and responses.