Forum Discussion

Cirrostratus

Dec 06, 2020

Diffie-Hellman "p" length 1024/2048 bits

Hey folks! Spoiler: very tricky question ahead! On diffie-hellman negotiation (TLSv1.2 and TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher-suite to be more specific), the length of p (aka the size 1...

jaikumar_f5
Dec 07, 2020
When it comes to handshake, the ciphers alone play role in negotiation. The certificate has no play here.
The DHE suites are 1024 alone in F5, if you had seen a 2048 bit, It should have been ECDHE.

Can you put a logging rule to confirm if it indeed was DHE suite and not ECDHE ?

jaikumar_f5

MVP

Dec 07, 2020

When it comes to handshake, the ciphers alone play role in negotiation. The certificate has no play here.

The DHE suites are 1024 alone in F5, if you had seen a 2048 bit, It should have been ECDHE.

Can you put a logging rule to confirm if it indeed was DHE suite and not ECDHE ?

rafaelbn
Cirrostratus
Dec 07, 2020
Hello Jaikumar! Thanks for the reply.

I will investigate it further. But will let you know.

Do you recommend any article/training that explain this? I wish to understand this type of thing better.

Thanks!
- jaikumar_f5
  MVP
  Dec 07, 2020
  Here mate, hope this helps.
  
  SSL Profiles Part 1: Handshakes
  Troubleshooting SSL/TLS handshake failures
  Troubleshooting Handshake by Capturing Traffic
  Qualsys SSL lab test reports a result of DH 1024 bits WEAK
- rafaelbn
  Cirrostratus
  Dec 10, 2020
  Thanks Jaikumar!

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Diffie-Hellman "p" length 1024/2048 bits

Recent Discussions

ports are showing open on online scanning tool

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

Related Content

Lightboard Lessons: Explaining the Diffie-Hellman Key Exchange

Vulnerability Diffie-Hellman F5

The SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size < 2048).

How to set diffie-hellman to 2048 bits

Disable Diffie Hellman 1024 Cipher on the SSL profile

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS