Dell PowerConnect W-IAP Remote Release Notes - Page 13

Note regarding US-Cert advisory 120541 In order to address the SSL and TLS vulnerability issue discussed in US-Cert advisory 120541, the Web server re-negotiation feature has been disabled in this release so that SSL re-negotiation requests will not be honored by the Brocade IP device Web server. Based on Cert advisory 120541, the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are vulnerable to Man-In-The-Middle (MITM) attacks. Vulnerability is in the way SSL and TLS protocols allow re-negotiation requests, which may allow a MITM to inject arbitrary requests into an application HTTP protocol stream. This could result in a situation where the MITM may be able to harm the Brocade IP device through the Web Management interface. For more information regarding Cert advisory 120541, refer to the following links: http://extendedsubset.com/?p=8 http://www.links.org/?p=780 http://www.links.org/?p=786 http://www.links.org/?p=789 http://blogs.iss.net/archive/sslmitmiscsrf.html http://www.ietf.org/mail-archive/web/tls/current/msg03948.html https://bugzilla.redhat.com/show_bug.cgi?id=533125 http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00014.html http://cvs.openssl.org/chngview?cn=18790 http://www.links.org/files/no-renegotiation-2.patch http://blog.zoller.lu/2009/11/new-sslv3-tls-vulnerability-mitm.html https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html IronWare Software Release 07.2.00a for Brocade FastIron switches Release Notes v 1.0 Page 13 of 55