Shared Cipher Spec Protocol
Original Publication Date: 2000-Apr-01
Included in the Prior Art Database: 2003-Jun-19
A networking protocol is disclosed that provides efficient and secure sharing of the cipher spec information used by server programs providing Secure Socket Layer (SSL) connections to client programs. This allows an internet service to be provided by a pool of servers to transparently continue SSL sessions spanning connections to different machines in the pool. The result is a significant reduction in server processing load and network data transmissions yielding both reduced response time to the clients and increased server pool throughput. There is significant load balancing technology in the marketplace today for making web sites more scaleable and available. The underlying design principle in much of this technology is the transparent deployment of a cluster of machines that produce equivalent results. The challenge comes in making the servers in the cluster produce equivalent results. Failure to do so causes a problem known as "Server Affinity" where a client connecting to one server in the cluster results in the requirement for that client to continue connecting to the same server to achieve successful results. This requirement is in direct conflict with the availability and scaleability requirements that clustering is designed to meet. Several aspects of the server affinity problem have been and continue to be addressed. Shared file and disk systems are available to provide a single view of the site's file system across the server cluster ensuring identical static content, templates, programs and class libraries. Database servers, transaction servers, application servers with distributed session state and proxy servers with shared caches are available to ensure a common view of application data across the server cluster. The remaining unaddressed major source of server affinity is SSL cypher specs. The rapid growth of e_business is creating significant pressure for business critical sites that demand high availability and scaleability with the data security offered by SSL encryption of transmissions. Stand-alone servers using SSL typically need to negotiate new SSL sessions on approximately 5% of their connections because of session reuse capabilities in the SSL protocol. Load balancing the application on a cluster of servers typically causes SSL session (re)negotiation to be required on upwards of 90% of their connections. This additional processing load frequently dictates a minimum cluster of three machines just to achieve the same throughput that a stand-alone machine provided. It also causes poorer user response time, regardless of the number of server machines in the cluster. To avoid this, most load balancing products have support for pinning client IP addresses to specific server machines for periods of time. This approach is useful for solving the server affinity problem for intranet applications but breaks down for internet applications due to the widespread use of proxy and socks servers which can result in large numbers of clients presenting the same client IP address. The new mechanism proposed here is a new protocol that needs to be implemented by the key servers that also implement SSL.