About TLS optimization

Transport Layer Security (TLS) replaces Secure Sockets Layer (SSL). Enabling TLS optimization allows appliances to accelerate encrypted traffic, such as HTTPS.

TLS optimization was introduced in SteelHead 9.10.1 and Client Accelerator 6.3.1. Connections from peers running earlier versions are passed through. TLS optimization supports features such as SSL Simplification, where the Client Accelerator automatically provides certificates and brokers access to client certificates for client-authenticated connections. TLS optimization requires a separate license. You can configure and enable TLS optimization even if it is not licensed; however, the feature needs to be both enabled and licensed to work.

SSL/TLS are cryptographic protocols that provide secure communication between two entities over the internet. Secure communication happens when entities verify and authenticate each other’s identity using a system of encrypted certificates and certificate keys. With web-based applications, the client typically authenticates the server. To identify itself, a certificate is installed on a web server and the client checks the credentials of the certificate to make sure it is valid and signed by a trusted third party. Trusted third parties that sign SSL certificates are called certificate authorities (CAs).

Riverbed appliances are configured to have a trust relationship so they can exchange information over secure connections. Clients and servers communicate with each other exactly as they do without SteelHeads; no changes are required for the client and server application, and no changes are required for the configuration of proxies. To achieve this, appliances split up the handshake (that is, the sequence of message exchanges at the start of a secure connection). In an ordinary handshake, the client and server first establish trust using public-key cryptography, and then they negotiate a symmetric session key to be used for data transfer.

TLS optimization requires that Server Name Indication (SNI) is used in the TLS handshake. The TLS handshake is originated by the client. Contact Support if you want to optimize traffic for customized or nonstandard applications.

With TLS acceleration, the server-side and client-side SteelHeads establish independent sessions to the server and client, respectively.

When clients initiate secure connections with a server, the SteelHead attempts to match the common name of the server’s certificate with one in its certificate pool. If the SteelHead finds a match, it adds the server to a list of discovered servers with which secure connections can be accelerated, and all subsequent connections to that server are optimized. If the SteelHead doesn’t find a match, it adds the server IP address and port and the client IP address to bypass lists, and all subsequent connections to that client-server pair aren’t accelerated. Lists of connections, accelerated and bypassed, are on the SSL reports pages.

Appliances also contain secure vaults that store all SSL/TLS server settings, other certificates (that is, the CA, peering trusts, and peering certificates), and the peering private key. The secure vault protects your private keys and certificates when the appliance isn’t powered on. You set a password for the secure vault that is used to unlock it when the appliance is powered on. After rebooting the appliance, SSL traffic isn’t optimized until the secure vault is unlocked with the correct password.