Support for ssl renegotiation, Basic ssl profile configuration, Specifying a keypair file – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Brocade Virtual ADX Security Guide

125

53-1003250-01

Basic SSL profile configuration

6

Support for SSL renegotiation

Some SSL application clients use renegotiation as a way within SSL protocols to change cipher
specifications and redo the handshake. It has been found however that unsecure renegotiation is
susceptible to Man-in-the-Middle attack.

Although Brocade Virtual ADX does not support renegotiation and is therefor not susceptible to
these attacks, it doesn’t handle renegotiation requests from the client properly in some cases
which causes some web browsers to report a security flaw with Brocade Virtual ADX which is a false
alarm.

With this feature enabled as shown, a Brocade Virtual ADX responds to renegotiation requests
which stops the browser from sending false alarms.

Virtual ADX(config)#server respond-with-renegotiation-info

Syntax: [no] ssl server respond-with-renegotiation-info

With this command enabled, a Brocade Virtual ADX will look for renegotiation-related heaters in
SSL packets and respond accordingly.

Where this command is not enabled, a Brocade Virtual ADX ignores all renegotiation-related
headers.

NOTE

While a Brocade Virtual ADX with this command enabled will respond to renegotiation requests,
Brocade Virtual ADX does not currently support renegotiation.

Basic SSL profile configuration

All SSL configuration parameters are configured in the configuration level under the specific SSL
profile. An SSL profile is created using the ssl profile command at the General configuration level
as shown.

Virtual ADX(config)#ssl profile profile1

Virtual ADX(config-ssl-profile-profile1)#

Syntax: ssl profile profile-name

The profile-name variable is an ASCII string that specifies the name of the SSL profile being
defined.

At a minimum the following parameters need to be configured for an SSL profile:

•

The RSA key-pair for the SSL connection

•

The cipher suite for the SSL connection

•

The digital certificate for the SSL connection (specified or self-signed)

Specifying a keypair file

Each SSL profile must be associated with an RSA key-pair file that was previously defined using the
genrsa command. The following example uses the keypair-file command to associate the key pair
file named "rsakey" with the "profile1" SSL profile.

Virtual ADX(config)#ssl profile profile1

Virtual ADX(config-ssl-profile-profile1)#keypair-file rsakey