Forum Discussion
DHE key exchange: why is ephemeral key only 1024bit long?
Hello,
during a recent analysis comparing security options provided by Apache httpd and F5 LTM we discovered that while Apache for RHEL/CentOS has lifted a limitation of 1024 bits for ephemeral keys in Diffie-Hellman exchange in version 2.2.15-32.el6 (EL6 is the version we're using at the moment, so let's stick to that; newest available package for EL6 is 2.2.15-39.el6) and now bases the length of ephemeral keys upon the server private key (2048 bits, as per current industry standard).
On the other hand, F5 LTM v. 11.6.0 still uses the keys that are 1024 bits long in DH Exchange.
Is there a possibility to control this behaviour that I'm not aware of? If not, what is the potential impact of this parameter? Are there any plans for changes in this respect?
Additional reference: Bug report related to Apache httpd in RHEL6 https://bugzilla.redhat.com/show_bug.cgi?id=1071883 NIST SP 800-131A http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
Thanks for any information, W.UrbaĆczyk
- Joe_MNimbostratus
I contacted F5 support to have this RFE pushed and this is the unfortunate response I got back.
I wanted to update you that I have heard back regarding your request and it was unfortunately denied. The recommendation they provided is completely disabling DHE, and using ECDHE instead. Also, I reviewed the links that you sent me and we actually have official documentation regarding logjam now that went up on Sunday. You can review that information at the link below.
- DavidScottNortoNimbostratus
Very unfortunate that F5 doesn't seem to understand the impacts of not supporting legacy clients:( Why do they think I can drop 15% of my traffic? It looks like that means we will need to switch to L4 load balancing for many of our sites so we can use Apache function which is working.
- JRahmAdminHi David, is an iRule possible in your environment? You can use one to loop through the ciphers offered by the client and then select another profile for them, but the business logic for which non-supported clients you would actually still want to connect would still need to be developed.
- DavidScottNort1Nimbostratus
Very unfortunate that F5 doesn't seem to understand the impacts of not supporting legacy clients:( Why do they think I can drop 15% of my traffic? It looks like that means we will need to switch to L4 load balancing for many of our sites so we can use Apache function which is working.
- JRahmAdminHi David, is an iRule possible in your environment? You can use one to loop through the ciphers offered by the client and then select another profile for them, but the business logic for which non-supported clients you would actually still want to connect would still need to be developed.
- Joe_MNimbostratus
FYI, this was written up a few days ago for logjam. https://devcentral.f5.com/articles/remediating-logjam-an-irule-countermeasure
- JGCumulonimbus
There was this argument about the benefits of off-loading SSL operations to the hardware (ASIC) of F5. If ECDHE is too much even for F5 to handle, imagine the situation of the boxes the Apache httpd runs on. :-)
But I suspect F5 is probably worried about the existing older F5 hardware....
The SSL/TLS has really shaken up the industry in the past year and a lot of things stop working sooner...
- Chase_AbbottEmployee
David's point is older clients will not support ECDH, not that the F5 gear wouldn't be able to handle it I think. In that case, iRules do have the ability to do a client detect so you can use ECDH on appropriate incoming requests and drop others to a different SSL profile or some other function.
We support compact and other legacy ciphers for this reason but the issue is, once enabled, your application stops complying with whatever new issue arises against TLS. This is that double-edge sword... with the iRule though, we could detect regular traffic and comply with any "scan" and proper ITIL documentation could detail the caveats for legacy clients that don't support the new ciphers. These always boil down to business decisions on what is supportable.
But yes, if enabling ECDH is too much for a hardware appliance with SSL Hardware acceleration, the Apache box would most likely be toast.
- BAMcHenryRet. Employee
Here's a bit more detail on why supporting DHE parameter lengths greater than 1024 is a non-trivial development effort, and ultimately doesn't return the value in security, given the alternatives: https://devcentral.f5.com/articles/logjams-dhe-parameters-and-other-obstacles-to-tls-excellence
Bear in mind that older clients not supporting DHE 2048 should support ECDHE as a PFS alternative of quality strength.
- sogboj_312474Nimbostratus
Hello, is this still the case with later versions such as 13.x and beyond? That is, that you cannot increase the bit size of the DH key for the built-in ciphers?
- KinEmployee
Please refer to the latest update on this. K79342815: BIG-IP support for RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com