Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL) and is used to secure internet communication. Enabling TLS optimization allows Riverbed appliances to accelerate encrypted traffic, such as HTTPS. This feature was introduced in SteelHead 9.10.1 and Client Accelerator 6.3.1, and it requires a separate license to function. While you can enable TLS optimization even if it’s not licensed, it will only work once both enabled and licensed.

TLS works by using encrypted certificates to authenticate the identities of entities, ensuring secure communication. In a typical web application, the client authenticates the server by checking the server’s certificate, which is signed by a trusted Certificate Authority (CA).

Riverbed appliances create a trust relationship with each other to securely exchange information, so no changes are required to the client and server applications or proxy configurations. When a secure connection is established, the appliances manage the handshake process. This includes establishing trust and negotiating a session key for data transfer.

For TLS optimization, Server Name Indication (SNI) must be used during the TLS handshake. This process is initiated by the client. If you're using customized or nonstandard applications, contact Riverbed Support for optimization assistance.

With TLS acceleration, the server-side and client-side SteelHeads set up independent sessions with the server and client. When a client connects securely to a server, the SteelHead checks if the server's certificate matches one in its certificate pool. If a match is found, subsequent connections to that server are optimized. If no match is found, the connection is added to a bypass list, and no optimization occurs for future connections to that server-client pair.

The appliances store all SSL/TLS settings, certificates, and private keys in secure vaults. These vaults protect your certificates when the appliance is powered off. The vault is unlocked with a password when the appliance is powered on, and SSL traffic is only optimized after the vault is unlocked.