[sssForm]
With default SSL template, AX or Thunder device configured with SSL offload on software releases 2.7.2-P3 patch code train may experience high data CPU utilization or SSL handshake failures under minimal SSL traffic load. In addition, SSL connections may fail intermittently if GCM ciphers are used for negotiation (Bug ID: 221545).
AX or Thunder devices contain PX and/or Nitrox III SSL Cards
SLB code train: 2.7.2-P3, 2.7.2-P3-SP3
Any client using DHE ciphers or ECDHE ciphers with ec-names not offloaded in hardware will result in high CPU usage because traffic is forced to be processed by data CPUs.
Nitrox III SSL card only offers hardware support for two Elliptical Curve, ec-name secp256r1 and secp384r1, which must be explicitly configured in the client SSL template to take advantage of hardware offload. Hardware offload for DHE ciphers on Nitrox III card has not been implemented but will be available in future software releases. For server side SSL, only handshakes for RSA ciphers are offloaded to hardware. DHE/ECDHE ciphers are processed by data CPUs.
The software defect 221545, which affects both Nitrox III and PX cards and causes SSL handshake failure due to GCM ciphers, will be addressed in 2.7.2-P4.
TH1030S#show hardware
Thunder Series Unified Application Service Gateway TH1030S
Serial No : TH10A53313390024
CPU : Intel(R) Xeon(R) CPU
8 cores
9 stepping
Storage : Single 74G drive
Memory : Total System Memory 8150 Mbyte, Free Memory 2873 Mbyte
SMBIOS : Build Version: 4.6.5
Release Date: 07/24/2013
SSL Cards : 1 device(s) present
1 Nitrox III
GZIP : 0 compression device(s) present
FPGA : 0 instance(s) present
L2/3 ASIC : 0 device(s) present
IPMI : Present
Ports : 10
Configure specific ciphers supported by PX or Nitrox III SSL cards in the SSL templates. Following are recommended client or server SSL templates that can be configured to avoid potential issues due to lack of hardware support for some Elliptical Curve ciphers in current software releases.
slb template client-ssl clientssl
cert cert
key key
cipher TLS1_RSA_EXPORT1024_RC4_56_MD5
cipher TLS1_RSA_EXPORT1024_RC4_56_SHA
cipher SSL3_RSA_RC4_40_MD5
cipher SSL3_RSA_RC4_128_MD5
cipher SSL3_RSA_RC4_128_SHA
cipher SSL3_RSA_DES_40_CBC_SHA
cipher SSL3_RSA_DES_64_CBC_SHA
cipher SSL3_RSA_DES_192_CBC3_SHA
cipher TLS1_RSA_AES_128_SHA
cipher TLS1_RSA_AES_256_SHA
cipher TLS1_RSA_AES_128_SHA256
cipher TLS1_RSA_AES_256_SHA256
slb template client-ssl clientssl
cert cert
key key
ec-name secp256r1
ec-name secp384r1
cipher TLS1_RSA_EXPORT1024_RC4_56_MD5
cipher TLS1_RSA_EXPORT1024_RC4_56_SHA
cipher SSL3_RSA_RC4_40_MD5
cipher SSL3_RSA_RC4_128_MD5
cipher SSL3_RSA_RC4_128_SHA
cipher SSL3_RSA_DES_40_CBC_SHA
cipher SSL3_RSA_DES_64_CBC_SHA
cipher SSL3_RSA_DES_192_CBC3_SHA
cipher TLS1_RSA_AES_128_SHA
cipher TLS1_RSA_AES_256_SHA
cipher TLS1_ECDHE_RSA_AES_128_SHA
cipher TLS1_ECDHE_RSA_AES_256_SHA
cipher TLS1_ECDHE_ECDSA_AES_128_SHA
cipher TLS1_ECDHE_ECDSA_AES_256_SHA
cipher TLS1_RSA_AES_128_SHA256
cipher TLS1_RSA_AES_256_SHA256
cipher TLS1_ECDHE_RSA_AES_128_SHA256
cipher TLS1_ECDHE_ECDSA_AES_128_SHA256
Following server-ssl template is recommended if end-to-end SSL offload is deployed with devices with Nitrox III card. For devices with PX card, default template can be used.
slb template server-ssl serverssl
cipher TLS1_RSA_EXPORT1024_RC4_56_MD5
cipher TLS1_RSA_EXPORT1024_RC4_56_SHA
cipher SSL3_RSA_RC4_40_MD5
cipher SSL3_RSA_RC4_128_MD5
cipher SSL3_RSA_RC4_128_SHA
cipher SSL3_RSA_DES_40_CBC_SHA
cipher SSL3_RSA_DES_64_CBC_SHA
cipher SSL3_RSA_DES_192_CBC3_SHA
cipher TLS1_RSA_AES_128_SHA
cipher TLS1_RSA_AES_256_SHA
cipher TLS1_RSA_AES_128_SHA256
cipher TLS1_RSA_AES_256_SHA256
| Vulnerability ID | Vulnerability Description |
|---|
| Ref # | General Link |
|---|
| Revision | Date | Description |
|---|---|---|
| 1.0 | April 13, 2018 |
Created web page |