Mitigating Poodle on the Brocade ADX
In order to mitigate the Poodle vulnerability on the Brocade ADX SSLv3 must be disabled. However this can only be achieved via the code release 12.4s, which disables SSLv3 completely. All code versions prior to this do not have any method or option to disable the SSLv3 protocol.
On the ADX there are 2 types of SSL healthcheck. They are,
- Simple - A SSL client hello is sent. If the server responds then the healthcheck passes.
- Complete - A full SSL connection is created and a GET/HEAD is sent. If the necessary response is received the healthcheck passes.
Below shows the various versions used for the different healthchecks,
|Simple||12.4.00r + below||SSLv3|
|Simple||12.5.01e + below||SSLv3|
|Complete||12.4.00r + below||TLS1.0|
|Complete||12.5.01e + below||TLS1.0|
Should you want to enable SSLv3 for your Simple healthchecks the commandserver sslv3-in-simple-ssl-hcis available.
NOTE 12.4s and all versions below only support TLS 1.0.
If both the client and server have only SSLv3 enabled then after upgrading to 12.4s the SSL connection will not establish, as mentioned this is because the ADX does not allow the use of the SSLv3 protocol. Should you need to troubleshoot this or another SSL issues the following commands can be used within rconsole virtual.
show ssl statistics alert show ssl statistics counters show cp stat
The following versions provide the following features.
- 12.4u - Ability to disable/enable ssl2/ssl3 within the SSL Profile.
- 12.4v - Fixes CVE-2014-8730 (Poodle) for Web Management connections.