A middlebox is a network appliance that manipulates Internet traffic by optimizing data flow across the network. Middleboxes can be configured as wide area network (“WAN”) optimizers and can be deployed in pairs across two geographically separated locations to optimize data traffic between the two middleboxes. Middleboxes can be connected through a single link or multiple links such as a leased line link and a broadband link. Middleboxes, which may be called WAN optimizers, can work as a pair of devices with primary job of optimizing the network traffic, providing better user experience.
For high availability networks, it is common to establish secure connections between two end point entities, for example between a client device and a web server. One or more middleboxes can be deployed between the two end point entities. Middleboxes can proxy one or more secure connections by monitoring secure connections on a first link between one end point entity and a middlebox and forming a new secure connection between the middlebox and the other end point entity based on the first link.
In a typical Secure Socket Layer/Transport Layer Security (SSL/TLS) connection between a client and a server, a single web session to a server can create multiple SSL/TLS connections to a server. Also when a web page gets refreshed, multiple secure connections are created to a server. In the environment where multiple SSL/TLS connections to the server are proxied by a cluster of middleboxes, each of the connections can be proxied by a different middlebox from the cluster. Based on current technology, each of the middleboxes in the cluster would have to establish an SSL full handshake with the server to obtain certificates and to compute necessary keys for establishing a secure connection.
The problem is that, more often than not, a single connection request to the server associated with a single website is ensued by a series of user requests to other related websites and lead to multiple SSL session connections to different servers with different fully qualified domain names. To establish these connections, the middlebox has to establish an SSL full handshake with each of the server and other related servers to obtain a certificate and compute necessary security keys to establish a secure channel. This task is, however, highly CPU intensive and might involve an additional Round Trip Time (RTT) and additional data to fetch the certificate chain.