fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Mitigating Poodle on the Brocade ADX

In order to mitigate the Poodle vulnerability on the Brocade ADX SSLv3 must be disabled. However this can only be achieved via the code release 12.4s, which disables SSLv3 completely. All code versions prior to this do not have any method or option to disable the SSLv3 protocol.

HealthChecks

On the ADX there are 2 types of SSL healthcheck. They are,

  • Simple - A SSL client hello is sent. If the server responds then the healthcheck passes.
  • Complete - A full SSL connection is created and a GET/HEAD is sent. If the necessary response is received the healthcheck passes.

Below shows the various versions used for the different healthchecks,

HC Type Code Version
Simple 12.4.00r + below SSLv3
Simple  12.5.01e + below SSLv3
Complete 12.4.00r + below TLS1.0
Complete 12.5.01e + below TLS1.0

Should you want to enable SSLv3 for your Simple healthchecks the commandserver sslv3-in-simple-ssl-hcis available.

NOTE  12.4s and all versions below only support TLS 1.0.

Troubleshooting

If both the client and server have only SSLv3 enabled then after upgrading to 12.4s the SSL connection will not establish, as mentioned this is because the ADX does not allow the use of the SSLv3 protocol. Should you need to troubleshoot this or another SSL issues the following commands can be used within rconsole virtual.

show ssl statistics alert
show ssl statistics counters
show cp stat

Appendix

The following versions provide the following features.

  • 12.4u - Ability to disable/enable ssl2/ssl3 within the SSL Profile.
  • 12.4v - Fixes CVE-2014-8730 (Poodle) for Web Management connections.

 

 

Tags: Brocade, ADX, SSL, Poodle, TLS

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001