Brocade Communications Systems 12.4.00a Manual De Usuario
172
ServerIron ADX Security Guide
53-1002440-03
Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
6
Enabling a ServerIron ADX SSL to respond with renegotiation headers
Some SSL application clients use renegotiation as a way within SSL protocols to change cipher
specifications and redo the handshake. It has been reported that unsecure renegotiation is
susceptible to Man-in-the-Middle attack. ServerIron ADX does not support renegotiation. This
means that ServerIron ADX is not susceptible to these attacks.
specifications and redo the handshake. It has been reported that unsecure renegotiation is
susceptible to Man-in-the-Middle attack. ServerIron ADX does not support renegotiation. This
means that ServerIron ADX is not susceptible to these attacks.
A problem occurs however where some Web browsers using OpenSSL send renegotiation related
headers and expect a response. If a ServerIron ADX does not respond with an appropriate header
for renegotiation, these web browers miss-intreprete the ServerIron ADX to be vulnerable to
renegotiation attacks.
headers and expect a response. If a ServerIron ADX does not respond with an appropriate header
for renegotiation, these web browers miss-intreprete the ServerIron ADX to be vulnerable to
renegotiation attacks.
With release 12.4.00, an option has been added to configure a ServerIron ADX to respond with
renegotiation headers that tell the browers that the ServerIron ADX handles the renegotaiton
message correctly and stops them from sending the false message that the ServerIron ADX is
vulnerable to renegotiation attacks.
renegotiation headers that tell the browers that the ServerIron ADX handles the renegotaiton
message correctly and stops them from sending the false message that the ServerIron ADX is
vulnerable to renegotiation attacks.
Configuring this command as shown in the following does not enable renegotiation on the
ServerIron ADX but prevents the problem with false reporting.
ServerIron ADX but prevents the problem with false reporting.
ServerIronADX# server ssl respond-with-renegotiation-info
Syntax: [no] server ssl respond-with-renegotiation-info
NOTE
The ServerIron ADX will still not support renegotiation. If the client attempts to renegotiate, the
ServerIron ADX will immediately terminate the handshake with the "NO_Renegotiation" handshake
message. However since the ServerIron ADX is now responding to the renegotiation headers,
OpenSSL clients that did not have any problem with ServerIron ADX NOT supporting renegotiation
might now be mislead to believe that ServerIron ADX has started supporting renegotiation. If this
occurs you may need to turn off this feature using the no option.
The ServerIron ADX will still not support renegotiation. If the client attempts to renegotiate, the
ServerIron ADX will immediately terminate the handshake with the "NO_Renegotiation" handshake
message. However since the ServerIron ADX is now responding to the renegotiation headers,
OpenSSL clients that did not have any problem with ServerIron ADX NOT supporting renegotiation
might now be mislead to believe that ServerIron ADX has started supporting renegotiation. If this
occurs you may need to turn off this feature using the no option.
Configuring Real and Virtual Servers for SSL Termination and Proxy
Mode
Mode
When configuring a ServerIron ADX for SSL Termination and Proxy mode, the Real and Virtual
Servers need to be configured to support these features. the following sections describe the
procedures and commands required. For a description of SSL Termination Mode, see
Servers need to be configured to support these features. the following sections describe the
procedures and commands required. For a description of SSL Termination Mode, see
on page 137. For a description of SSL Proxy Mode, see
page 138. For a detailed example of how to configure the examples shown in those sections, see
NOTE
SSL Termination and Proxy mode can be configured for setups where an IPv4 real server is bound
to an IPv4 virtual server or where an IPv6 real server is bound to an IPv6 virtual server. They are not
supported for setups that use IPv4 and IPv6 together in the same configuration.
to an IPv4 virtual server or where an IPv6 real server is bound to an IPv6 virtual server. They are not
supported for setups that use IPv4 and IPv6 together in the same configuration.