vADC Blog

Configuring SSL/TLS protocols with Brocade Virtual Traffic Manager

by PaulWallace on ‎03-30-2016 03:05 AM (3,924 Views)

Secure Sockets Layer (SSL) and the more recent Transport Layer Security (TLS) protocols are the cornerstones of Internet security, providing a standard for authenticated transactions using secure key exchange and encryption. With support for TLS 1.2, Brocade vTM provides a wider range of protocol support, including the use of stronger ciphers for authentication, allowing clients to specify which hash and signature algorithms they will accept. Brocade vTM also permits full control over the selection of security settings per virtual server, per pool, or as a global setting, to suit a range of enterprise deployment options.
 
However, from time to time we update the list of protocols which are supported and enabled, to reflect recommendations from NIST and other agencies about which protocols are preferred for securing web applications. For example, in Brocade vTM 9.8, we changed the default settings so that SSL v2 and v3 needed to be explicitly enabled in order to be used, and in future versions, we will remove support for these older protocols completely.
 
NIST publish a very useful guide to selection of TLS implementations:
IETF have also publish guidelines on recommendations for use of TLS:
SSL v2 deprecated from vTM 10.4
From the latest version, Brocade Virtual Traffic Manager 10.4, SSL v2 will be available to applications, but will be deprecated: future releases of vTM will not include SSL v2 as an option. SSL v2 will be supported within the 10.4 LTS (Long Term Support) program for customers that need to continue to use SSL v2.
 
SSL/TLS protocol configuration
Brocade vTM allows security settings to be configured per virtual server, per pool, or even with a single global setting, depending on how you need to configure your applications. As shown in the table below, SSL v2 and v3 are disabled by default, but each of the security protocols can be enabled to suit the security profile that you need. When a client creates a connection with your application, vTM negotiates the most secure protocol which is supported by both the client, and enabled in vTM on that connection.
 

 

Security
Protocol

Enabled by Default

Configurable

In vTM 10.4

SSL

v2

No

Yes, Deprecated

SSL

v3

No

Yes

TLS

1.0

Yes

Yes

TLS

1.1

Yes

Yes

TLS

1.2

Yes

Yes

 


TLS 1.2 advantages
At the time of writing (March 2016) TLS 1.2 is the recommended security protocol for web applications, and the TLS 1.3 specification is being finalised. TLS 1.2 includes a range of improvements over the previous version, including performance enhancements using the latest AES-GCM ciphers. Be sure to check with your own local security teams as to the recommended security protocols and ciphers for your applications.
 
For more information: 

Comments
by Nishant
on ‎08-06-2016 03:48 AM

I have the application that need to be load balance , currently the application using the certificate having algo RSASSA-PSS in the root and intermediate certificate.

 

As per the discussion with VTM support  currently VTM is not supporting the the algo RSASSA-PSS . Is there any way we can do the loadbalance ?