A middlebox is a network appliance that manipulates Internet traffic by optimizing data flow across the network. Middleboxes can be configured as wide area network (“WAN”) optimizers and can be deployed in pairs across two geographically separated locations to optimize data traffic between the two middleboxes. Middleboxes can be connected through a single link or multiple links such as a leased line link and a broadband link. Middleboxes, which may be called WAN optimizers, can work as a pair of devices with primary job of optimizing the network traffic, providing better user experience.
For high availability networks, it is common to establish secure connections between two end point entities, for example between a client device and a web server. One or more middleboxes can be deployed between the two end point entities. Middleboxes can proxy one or more secure connections by monitoring secure connections on a first link between one end point entity and a middlebox and forming a new secure connection between the middlebox and the other end point entity based on the first link.
Middleboxes also act as Secure Sockets Layer (SSL) proxy appliances such that they can proxy SSL connections between the two end point entities. For example, by proxying an SSL connection at a middlebox that is located between a client device and a web server, two SSL sessions are formed. One session is an SSL connection, herein after SSL1, which is a trusted connection between the client device and the middlebox. This connection is trusted as an administrator of the middlebox would typically install a domain-trusted certificate and private keys on the middlebox to proxy the connection. The other session is another SSL connection, herein after SSL2, which is a trusted connection between the middlebox and the web server with an actual security certificate.
In a typical SSL/Transport Layer Security (TLS) connection between a client and a server, a single web session to a server can create multiple SSL/TLS connections to the server. Also when a web page gets refreshed, multiple secure connections are created to the same server. In the environment where multiple SSL/TLS connections to the server are proxied by a cluster of middleboxes, each of the connections can be proxied by a different middlebox from the cluster. Based on current technology, each of the middleboxes in the cluster would have to establish a full SSL handshake with the server to obtain certificates and to compute necessary keys for establishing a secure connection. This task is very high CPU intensive and might involve an additional Round Trip Time (RTT) and additional data to fetch the certificate chain.