DETAILED ACTION
1. 	This is in response to RCE filed on June 13, 2022. Claims 1-21 are pending and claims 1, 8 and 15 are independent. Each independent claim is amended. 
Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
3.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 06/13/2022 has been entered.

Response to Arguments
4.	Applicant’s arguments, filed on June 13, 2022, with respect to independent claims 1, 8 and 15 have been fully considered and are persuasive. The amendment made to the independent claims 1, 8 and 15 overcomes the ground of rejection and all the rejections set forth in the previous final office action have been withdrawn. 

Allowable Subject Matter
5.	Claims 1-21 are allowed. 
6.	The following is an examiner’s statements of reasons for allowance:
7. 	 The following references/prior arts disclose the subject matter/claim limitations recited in independent claims 1, 8 and 15 before the current amendment is made/filed.

As per independent claims 1 and 8, Wing discloses a method for processing cryptographically secured connections by a gateway [See abstract and figure 3, figure 2, 111, proxy the corresponds to the limitation “gateway” that is between the client device figure 2, 110 and the server shown on figure 2, 120 receives a certificate from the server, validates its identity and performs policy functions on that identity thereby creating cryptographically secure connection.] between a client [See figure 2, ref. 110/client device] and a server [See figure 2, ref. 120/server device] comprising: 
receiving from the client a connection request [See at least figure 3, ref, S100 how the TLS proxy receives a connection request from the client. Paragraph 0024, FIG. 3 illustrates an example flowchart for the system of FIG. 2. In S100, a first secure connection (e.g., user datagram protocol or TCP) is initiated by the client device 110. As part of attempting to establish a first secure connection with the server device 120, at least one initial negotiation message is sent from the client device 110 to the server device 120, ] that includes an indication of a site hosted by the server to which the client is attempting to connect [See figure 3, ref. S100,  and figure 3, S103 and S104, TLS Client Hello, where on paragraph 0017, indicates that The TLS ClientHello message includes a server name indication (SNI) extension as described in RFC 6066 dated January 2011 and available on the Internet Engineering Task Force (IETF) website. The example SNI extension, which may be described as a requested server address, shown in FIG. 1 is www.example.com.]; upon receiving the connection request [See figure 3, S103 and S104, upon receiving the connection request See figure 3, S100 and upon checking that the SNI is not on the negative policy list figure3. S103 and upon checking that the SNI is not listed in the identify cache figure 3. S104], responding to the received connection request by initiating a probing connection to the server [See figure 3, ref. S105 see how the proxy/gateway intercepts the first secure connection and initiate another Second probing connection with the server shown on figure 2/120], the probing connection including: performing a cryptographic protocol with the server [figure 3, S105 and paragraph 0029, In S105, a second secure connection (e.g., user datagram protocol or TCP) is initiated and established between the TLS proxy 111 and the server device 120. Another set of initial negotiation messages (e.g., ClientHello and ServerHello messages) are exchanged between the TLS proxy 111 and the server device 120], the cryptographic protocol including causing the server to provide an indicator to a site hosted by the server [See figure 3, S105 and paragraph 00029 and S106 where  a second secure connection (e.g., user datagram protocol or TCP) is initiated and established between the TLS proxy 111 and the server device 120. Another set of initial negotiation messages (e.g., ClientHello and ServerHello messages) are exchanged between the TLS proxy 111 and the server device 120 so that as indicated on figure 3, S106 and paragraph 0030 the server name and the certificate that indicates the site hosted by the server is provided. In S106, the TLS proxy 111 receives a server name and certificate from the server device 120]
receiving data from the server including an indicator to a site hosted by the server [See figure 3, S106 and paragraph 0030 see how the server name that indicates the site hosted by the server  (See for example figure 1, ref. 23 www.example.net) and the certificate is provided, In S106, the TLS proxy 111 receives a server name and certificate from the server device 120]; and, 
analyzing the received indicator to determine the identity of the site hosted by the server [See figure 3, ref. S107 and paragraph 0030, In S107, the TLS proxy 111 determines whether the server name received from the server device 120 is on the negative policy list, which may be the same negative policy list from S103]; and, processing the connection based, at least in part, on the determined identity of the site hosted by the server [See figure 3, ref. S108, Paragraph 0031, When the server name is not on the negative policy list, then the TLS proxy 111 proceeds to S108. At S108 the TLS proxy 111 completes the handshake with the server device 120 for the second secure connection.]

As per independent claim 15 Wing discloses a computer usable non-transitory storage medium having a computer program embodied thereon for causing a suitably programmed system to process cryptographically secured connections by a gateway [See abstract and figure 3, figure 2, 111, proxy the corresponds to the limitation “gateway” that is between the client device figure 2, 110 and the server shown on figure 2, 120 receives a certificate from the server, validates its identity and performs policy functions on that identity thereby creating cryptographically secure connection.] between a client [See figure 2, ref. 110/client device] and a server [See figure 2, ref. 120/server device] comprising: 
receiving from the client a connection request [See at least figure 3, ref, S100 how the TLS proxy receives a connection request from the client. Paragraph 0024, FIG. 3 illustrates an example flowchart for the system of FIG. 2. In S100, a first secure connection (e.g., user datagram protocol or TCP) is initiated by the client device 110. As part of attempting to establish a first secure connection with the server device 120, at least one initial negotiation message is sent from the client device 110 to the server device 120, ] that includes an indication of a site hosted by the server to which the client is attempting to connect [See figure 3, ref. S100,  and figure 3, S103 and S104, TLS Client Hello, where on paragraph 0017, indicates that The TLS ClientHello message includes a server name indication (SNI) extension as described in RFC 6066 dated January 2011 and available on the Internet Engineering Task Force (IETF) website. The example SNI extension, which may be described as a requested server address, shown in FIG. 1 is www.example.com.]; upon receiving the connection request [See figure 3, S103 and S104, upon receiving the connection request See figure 3, S100 and upon checking that the SNI is not on the negative policy list S103 and upon checking that the SNI is not listed in the identify cache S104], responding to the received connection request by initiating a probing connection to the server [See figure 3, ref. S105 see how the proxy/gateway intercepts the first secure connection and initiate another Second probing connection with the server shown on figure 2/120], the probing connection including: performing a cryptographic protocol with the server [figure 3, S105 and paragraph 0029, In S105, a second secure connection (e.g., user datagram protocol or TCP) is initiated and established between the TLS proxy 111 and the server device 120. Another set of initial negotiation messages (e.g., ClientHello and ServerHello messages) are exchanged between the TLS proxy 111 and the server device 120], the cryptographic protocol including causing the server to provide an indicator to a site hosted by the server [See figure 3, S105 and paragraph 00029 and S106 where a second secure connection (e.g., user datagram protocol or TCP) is initiated and established between the TLS proxy 111 and the server device 120. Another set of initial negotiation messages (e.g., ClientHello and ServerHello messages) are exchanged between the TLS proxy 111 and the server device 120 so that as indicated on figure 3, S106 and paragraph 0030 the server name and the certificate that indicates the site hosted by the server is provided. In S106, the TLS proxy 111 receives a server name and certificate from the server device 120]
receiving data from the server including an indicator to a site hosted by the server [See figure 3, S106 and paragraph 0030 see how the server name that indicates the site hosted by the server  (See for example figure 1, ref. 23 www.example.net) and the certificate is provided, In S106, the TLS proxy 111 receives a server name and certificate from the server device 120]; and, 
analyzing the received indicator to determine the identity of the site hosted by the server [See figure 3, ref. S107 and paragraph 0030, In S107, the TLS proxy 111 determines whether the server name received from the server device 120 is on the negative policy list, which may be the same negative policy list from S103]; and, processing the connection based, at least in part, on the determined identity of the site hosted by the server [See figure 3, ref. S108, Paragraph 0031, When the server name is not on the negative policy list, then the TLS proxy 111 proceeds to S108. At S108 the TLS proxy 111 completes the handshake with the server device 120 for the second secure connection.]
Furthermore, Buruganahalli discloses:

receiving from the client a connection requestthat includes an indication of a site hosted by the server to which the client is attempting to connect [See figure 1 and claim 1, where the network traffic is monitored at a firewall 100 or using a gateway (e.g., a gateway that includes security functions, such as a security gateway and see claim 1 how the firewall or the gateway or the processor, before the secure connection is created, extract the destination domain from a server name indication (SNI) of a client hello message sent from the client to the remote server, the secure connection including an encrypted message, wherein the extracting of the destination domain from the SNI of the client hello message sent from the client to the remote server comprises to: identify the SNI from the client hello message during a handshaking process for setting the secure connection between the client and the remote server. See column 11, line 15-16, step 1 where the client C (TLS Handshake) Hello, I support XYZ Encryption and I am trying to connect to ‘website.example.com’ and column 11, line 22-23, As shown in the example, TLS handshake exchange, the client provides a hostname identification in Step 1. In particular, the client indicates in this hello message which hostname it wants to setup this secure connection with so that the server then knows which public certificate to send back]; upon receiving the connection request, responding to the received connection request by initiating a probing connection to the server [See column 11, lines 27-33, As discussed above, the firewall can intercept and decode (e.g., parse) this TLS handshake exchange to extract the hostname from the client hello message in order to apply various policies based on the destination domain. As also discussed above, the firewall can also verify whether the extracted hostname matches the hostname associated with the provided Public Certificate that was sent in Step 2 and See claim 1, see how the processor or the firewall shown on figure 1, extract a domain identified in a public certificate sent from the remote server to the client; compare the destination domain and the domain identified in the public certificate; and in the event that the destination domain matches the domain identified in the public certificate, apply a security policy based on the destination domain to filter traffic at the security device, wherein the security policy includes a whitelist/blacklist policy.]

Furthermore, the following newly founded prior art discloses the general subject matter recited in these independent claims 1, 8 and 15.

A. 	US Patent No. 8549157-B2 to Schnellaecher discloses methods include an apparatus comprising a transparent proxy coupled to a plurality of non-configured clients and coupled to one or more servers, the transparent proxy operable to intercept a request for a secured connection to a first server of the one or more servers, the request from a first non-configured client of the plurality of non-configured clients and including a server name indication extension, and to supply a proper certificate to the first non-configured client including the server name indication extension as a common name in the proper certificate.

B.	US Patent No. 10374800-B1 to Scharifi discloses a computer-implemented method, comprising:
obtaining, at a first computing device, a cryptography algorithm hopping model that specifies a plurality of cryptography algorithms and information sufficient to determine a sequence of the plurality of cryptography algorithms and to determine when to switch from a cryptography algorithm in the sequence to a next cryptography algorithm in the sequence;
establishing a first secure communications channel by performing a handshake process with a second computing device, the first secure communications channel associated with a first cryptography algorithm of the plurality of cryptography algorithms;
receiving, from a third computing device during the handshake process, a cipher suite to use from a set of cipher suites received from the second computing device, the cipher suite containing a second cryptography algorithm;
communicating with the second computing device over the first secure communications channel by transmitting messages that are encrypted using the first cryptography algorithm;
using the cryptography algorithm hopping model to determine when to switch to the second cryptography algorithm, the second cryptography algorithm being a next in the sequence relative to the first cryptography algorithm; and
communicating with the second computing device over a second secure communications channel by transmitting messages that are encrypted using the second cryptography algorithm.

C.	US Publication No. 2011/0231649 A1 to Bollay discloses a traffic management device (TMD), system, and processor-readable storage medium are directed to monitoring an encrypted session between a client and a server, determining that the session identifier is unknown, and requesting a renegotiation of the session to acquire a session identifier for the renegotiated session. Determination that the session identifier is unknown may be based on interception and analysis of handshake messages sent by the client and/or the server. Following such determination, a renegotiation of the encrypted session may be triggered by sending a renegotiation request to the client, and a session identifier for the renegotiated session may be determined based on information extracted from subsequent handshake messages exchanged between the client and server during the renegotiation. Determination of the session identifier may enable decryption, encryption and modification of subsequent communications traffic, for example insertion of third party content into traffic sent to the client.

D.	US Publication No. 2016/037341A1 to MacCarthaigh discloses a cryptographically protected communications sessions are established using a distributed process. A server proxies handshake messages to another computer system that negotiates a cryptographically protected communications session with the client. When the client and other computer system complete negotiation of the session, the other computer system provides a set of session keys to the server. The server then uses the session keys to communicate with the client over the cryptographically protected communications session.

E. See the other cited prior arts.

However, the above prior arts of record including the rest of the prior arts cited in the previous office action either taken alone or in combination neither anticipates nor renders obvious the claimed subject matter of the instant application that is taken as a whole including the functional limitation recited in the amended independent claims 1, 8 and 15. For this reason, the specific claim limitations recited in independent claims 1, 8 and 15 taken as whole are found to be allowable.

8.	 The dependent claim 2-7, 9-14 and 16-21 which is dependent on the above independent claims 1, 8 and 15 being further limiting to the independent claims, definite and enabled by the specification are also allowed.

9.	Any comments Applicants considers necessary must be submitted no later than the payment of the Issue Fee and to avoid processing delays, should preferable accompany the Issue Fees. Such submission should be clearly labeled "Comments on Statement of Reasons for Allowance". In event of any post-allowance papers (e.g. IDS, 312 amendment, petition, etc.), Applicant is exhorted to mail papers to the Production Control branch in Publications or faxed to post-allowance papers correspondence branch at (703) 308-5864 to expedite issuing process or call PUB's Customer Service if any questions at (703) 305-8497. 
Conclusion

10.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMSON B LEMMA whose telephone number is 571-272-3806.  The examiner can normally be reached on M-F 8am-10pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shaw Yin Chen can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.	
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SAMSON B LEMMA/Primary Examiner, Art Unit 2498