Brocade Communications Systems 12.4.00a Manual De Usuario
164
ServerIron ADX Security Guide
53-1002440-03
Basic SSL profile configuration
6
To enable the ServerIronADX to send the entire certificate chain configure the
enable-certificate-chaining command within an SSL profile as described in
enable-certificate-chaining command within an SSL profile as described in
Support for SSL renegotiation
Some SSL application clients use renegotiation as a way within SSL protocols to change cipher
specifications and redo the handshake. It has been found however that unsecure renegotiation is
susceptible to Man-in-the-Middle attack.
specifications and redo the handshake. It has been found however that unsecure renegotiation is
susceptible to Man-in-the-Middle attack.
Although ServerIron ADX does not support renegotiation and is therefor not susceptible to these
attacks, it doesn’t handle renegotiation requests from the client properly in some cases which
causes some web browsers to report a security flaw with ServerIron ADX which is a false alarm.
attacks, it doesn’t handle renegotiation requests from the client properly in some cases which
causes some web browsers to report a security flaw with ServerIron ADX which is a false alarm.
With this feature enabled as shown, a ServerIron ADX responds to renegotiation requests which
stops the browser from sending false alarms.
stops the browser from sending false alarms.
ServerIronADX(config)# server respond-with-renegotiation-info
Syntax: {no} ssl server respond-with-renegotiation-info
With this command enabled, a ServerIron ADX will look for renegotitation-related heaters in SSL
packets and respond accordingly.
packets and respond accordingly.
Where this command is not enabled, a ServerIron ADX ignores all renegotiation-related headers.
NOTE
While a ServerIron ADX with this command enabled will respond to renegotiation requests,
ServerIron ADX does not currently support renegotiation.
While a ServerIron ADX with this command enabled will respond to renegotiation requests,
ServerIron ADX does not currently support renegotiation.
Basic SSL profile configuration
All SSL configuration parameters are configured in the configuration level under the specific SSL
profile. An SSL profile is created using the ssl profile command at the General configuration level
as shown.
profile. An SSL profile is created using the ssl profile command at the General configuration level
as shown.
ServerIronADX(config)# ssl profile profile1
ServerIronADX(config-ssl-profile-profile1)#
Syntax: ssl profile <profile-name>
The <profile-name> variable is an ASCII string that specifies the name of the SSL profile being
defined.
defined.
At a minimum the following parameters need to be configured for an SSL profile:
•
The RSA key-pair for the SSL connection
•
The cipher suite for the SSL connection
•
The digital certificate for the SSL connection (specified or self-signed)