Forum Discussion

Nimbostratus

Dec 10, 2014

DHE key exchange: why is ephemeral key only 1024bit long?

Hello, during a recent analysis comparing security options provided by Apache httpd and F5 LTM we discovered that while Apache for RHEL/CentOS has lifted a limitation of 1024 bits for ephemeral ...

Employee

Mar 10, 2015

11.6 will have a reduced set of lower level ciphers in the default config but any existing config is still supported. BigIP supports different levels because it has to account for many different configurations, like the COMPAT cipher list.

Check out SOL8802 for a good list of 11.x based SSL articles, but you'll specifically want to read SOL13171 to configure only strong ciphers if that's the need. I can only assume that your VIP is using a an SSL profile that allows these lower level strings for negotiation fall back.

But really review the SOL8802 and that will give you not only the possible ciphers that you'll want to support, but also how to configure the profile to use ONLY TLS 1.2 approved cipher strengths.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

DHE key exchange: why is ephemeral key only 1024bit long?

Recent Discussions

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Switch ssl profile based on weak cipher detection via IRULE

Related Content

The Business Partner Exchange - An F5 Distributed Cloud Services Demonstration

Rustls with NGINX, Password Based Key Exchange, & Llama Drama

Exchange 2016

MS Exchange ProxyNotShell block implemented via iRules

Exchange 2019

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS