Forum Discussion
Deltavista_1797
Nimbostratus
NimbostratusDHE key exchange: why is ephemeral key only 1024bit long?
Hello,
during a recent analysis comparing security options provided by Apache httpd and F5 LTM we discovered that while Apache for RHEL/CentOS has lifted a limitation of 1024 bits for ephemeral ...
Joe_MNimbostratus
NimbostratusI am running into the same issue. If DHE keys are impossible to break why does SSL Labs mark it as weak? and isn't the new setting "SSL Sign Hash" in the clientssl profile supposed to affect that? When I change that setting, it makes no difference.
However, maybe that is only for ECDHE:
"Specifies the hash algorithm the BIG-IP system uses for server key exchanges with Elliptic Curve ciphers. Possible choices are SHA1, SHA256, SHA384, or Any. When you select Any, you authorize the system to choose any one of the hash algorithms. Note that in this case, the BIG-IP system chooses SHA1 whenever possible. The SSL Sign Hash setting was introduced in BIG-IP 11.5.0."
Regardless of whether or not DHE keys are impossible to break, PCI still views 1024 as weak and therefore shouldn't/can't be used by us. I may have to open up a ticket with F5, if no one has any other sugestions.