Enabling close notify – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

132

Brocade Virtual ADX Security Guide

53-1003250-01

Advanced SSL profile configuration

6

Virtual ADX(config)#ssl profile profile1

Virtual ADX(config-ssl-profile-profile1)#enable-ssl-v2

Syntax: [no] enable-ssl-v2

SSLv2 is disabled by default.

Enabling close notify

You can configure a Brocade Virtual ADX to send an alert before closing an SSL session as shown
in the following.

Virtual ADX(config)#ssl profile profile1

Virtual ADX(config-ssl-profile-profile1)#enable-close-notify

Syntax: [no] enable-close-notify

When this command is configured, the Brocade Virtual ADX will send an alert before closing an SSL
session. By default, a Brocade Virtual ADX does not send a close notify alert before closing an SSL
session.

Enabling a Brocade Virtual ADX SSL to respond
with renegotiation headers

Some SSL application clients use renegotiation as a way within SSL protocols to change cipher
specifications and redo the handshake. It has been reported that unsecure renegotiation is
susceptible to Man-in-the-Middle attack. Brocade Virtual ADX does not support renegotiation. This
means that Brocade Virtual ADX is not susceptible to these attacks.

A problem occurs however where some Web browsers using OpenSSL send renegotiation related
headers and expect a response. If a Brocade Virtual ADX does not respond with an appropriate
header for renegotiation, these web browsers misinterpret the Brocade Virtual ADX to be
vulnerable to renegotiation attacks.

With release 12.4.00, an option has been added to configure a Brocade Virtual ADX to respond
with renegotiation headers that tell the browsers that the Brocade Virtual ADX handles the
renegotiation message correctly and stops them from sending the false message that the Brocade
Virtual ADX is vulnerable to renegotiation attacks.

Configuring this command as shown in the following does not enable renegotiation on the Brocade
Virtual ADX but prevents the problem with false reporting.

Virtual ADX#server ssl respond-with-renegotiation-info

Syntax: [no] server ssl respond-with-renegotiation-info

NOTE

The Brocade Virtual ADX will still not support renegotiation. If the client attempts to renegotiate, the
Brocade Virtual ADX will immediately terminate the handshake with the "NO_Renegotiation"
handshake message. However since the Brocade Virtual ADX is now responding to the renegotiation
headers, OpenSSL clients that did not have any problem with Brocade Virtual ADX NOT supporting
renegotiation might now be mislead to believe that Brocade Virtual ADX has started supporting
renegotiation. If this occurs you may need to turn off this feature using the no option.