10-19-2014 04:33 PM
We are also affected
as mentioned by a number of experts SSLv3 should be disabled and TLS1.0,1.1,1.2 should be used instead.
It does have impact to end users in that XP IE6 does not support this and users who browse to sites with TLS will be unable to connect to the server and the browser will say unable to connect.
I have been informed by our provider that the ADX series currently has no way to disable SSLv3 so I am hoping there will be a firmware update asap
10-20-2014 01:46 AM
For ADX I think there are 2 ways this can have impact, one is the management of the box and the other is the SSL acceleration.
I assume that the topic starter is interested in the SSL acceleration.
The best way to receive updates is through your Brocade SE or Brocade Partner.
10-29-2014 02:12 AM - edited 10-29-2014 02:14 AM
Code version 12.4.00s was released on October 23rd and according to the release notes this release was released specifically for the Poodle issues.
I've tested this code and it disables SSLv3 for SSL termination and SSL proxy.
For https web management the release notes advice to disable that for now as a workaround.
And for health checks, if complete health checks fail, use l4-check-only. This is also a workaround.
12-11-2014 02:55 PM
I have disabled SSLv3 on my Tomcat servers, but my ADX 1000 sees their SSL port as "Failed". I am using the complete SSL health check. I have verified that the SSL port is up and responding properly. Can I get confirmation from someone at Brocade that the only way to get the port to appear as healthy is use the simple SSL health check?
12-12-2014 02:58 PM
Simple SSL healthchecks will not help you in this case, Serveriron ADX sends a TLS hello encapsulated in SSLv2Hello (for backward compatibility ) , by default handling for this kind of Hello is disabled in new Java based applications. In order for healthchecks to work you can enable handling of SSLv2Hello on your servers.
Also if you wish to upgrade, there should be a new patch for the firmware version that you are running with this behavior modified on the ADX side. (i.e. ADX not sending SSLv2 encapsulated Hello message)
This link provide more information on how to enable SSLv2Hello while disabling SSLv3 for Poodle attack.
Disabling SSL v3 on either client side or server side will mitigate this vulnerability. To disable SSL v3, and enable all TLS protocols plus SSLv2Hello pseudo-protocol on JSSE connectors add the following attributes to your connector configuration in server.xml: sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello" The same thing could be done on APR connector using following attributes: TODO
Hope that helps.
06-19-2015 09:12 AM
For SSL Offloading on ADX 1008 series (12400) will there be options for us to select which specific TLS version to disable ? (instead of just disabling TSL1 we can choose to only disable TLS v1.0 and leave TLS v1.1 and v1.2 running).