Mitigating Poodle on the Brocade ADX

In order to mitigate the Poodle vulnerability on the Brocade ADX SSLv3 must be disabled. However this can only be achieved via the code release 12.4s, which disables SSLv3 completely. All code versions prior to this do not have any method or option to disable the SSLv3 protocol.

HealthChecks

On the ADX there are 2 types of SSL healthcheck. They are,

  • Simple – A SSL client hello is sent. If the server responds then the healthcheck passes.
  • Complete – A full SSL connection is created and a GET/HEAD is sent. If the necessary response is received the healthcheck passes.

Below shows the various versions used for the different healthchecks,

HC TypeCodeVersion
Simple12.4.00r + belowSSLv3
Simple 12.5.01e + belowSSLv3
Complete12.4.00r + belowTLS1.0
Complete12.5.01e + belowTLS1.0

Should you want to enable SSLv3 for your Simple healthchecks the commandserver sslv3-in-simple-ssl-hcis available.

NOTE  12.4s and all versions below only support TLS 1.0.

Troubleshooting

If both the client and server have only SSLv3 enabled then after upgrading to 12.4s the SSL connection will not establish, as mentioned this is because the ADX does not allow the use of the SSLv3 protocol. Should you need to troubleshoot this or another SSL issues the following commands can be used within rconsole virtual.

show ssl statistics alert show ssl statistics counters show cp stat

Appendix

The following versions provide the following features.

  • 12.4u – Ability to disable/enable ssl2/ssl3 within the SSL Profile.
  • 12.4v – Fixes CVE-2014-8730 (Poodle) for Web Management connections.

 

 

Rick Donato
Latest posts by Rick Donato (see all)

Want to become a networking expert?

Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial