Controller Based WLANs

CVE-2014-3566 security vulnerabilities

by on ‎04-05-2015 11:05 PM

Environment- Clients exclusively using SSLv3 will fail to access the Captive Portal and the controller WebUI.

Answer- As part of CVE-2014-3566 security vulnerabilities and exposures, SSLv3 transport layer security is disabled in ArubaOS starting from version 6.3.1.14.

To address this vulnerability, the following changes are introduced under the web-server ssl-protocol command.

ssl-protocol --  Specifies the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol version used for securing communication with the web server:(By default we will use all the three)
l TLS v1.0
l TLS v1.1
l TLS v1.2


(Aruba7240) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba7240) (config) #web-server profile
(Aruba7240) (Web Server Configuration) #ssl-protocol ?
tlsv1                   Use TLSv1
tlsv1.1                 Use TLSv1.1
tlsv1.2                 Use TLSv1.2
<cr>


Note: Clients exclusively using SSLv3 will fail to access the Captive Portal and the controller WebUI. It is recommended to use TLSv1.0, TLSv1.1, or TLSv1.2 transport layer security.

AnswerLT- (Aruba7240) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba7240) (config) #web-server profile
(Aruba7240) (Web Server Configuration) #ssl-protocol ?
tlsv1 Use TLSv1
tlsv1.1 Use TLSv1.1
tlsv1.2 Use TLSv1.2
<cr>

Internal Note- Verifited and testing in 6.3.1.14 and above image version.

Related Links- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.