Forum Discussion

Cirrostratus

Dec 06, 2020

Solved

Diffie-Hellman "p" length 1024/2048 bits

Hey folks! Spoiler: very tricky question ahead! On diffie-hellman negotiation (TLSv1.2 and TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher-suite to be more specific), the length of p (aka the size 1...

jaikumar_f5
Dec 07, 2020
When it comes to handshake, the ciphers alone play role in negotiation. The certificate has no play here.
The DHE suites are 1024 alone in F5, if you had seen a 2048 bit, It should have been ECDHE.

Can you put a logging rule to confirm if it indeed was DHE suite and not ECDHE ?

jaikumar_f5

Noctilucent

Dec 07, 2020

When it comes to handshake, the ciphers alone play role in negotiation. The certificate has no play here.

The DHE suites are 1024 alone in F5, if you had seen a 2048 bit, It should have been ECDHE.

Can you put a logging rule to confirm if it indeed was DHE suite and not ECDHE ?

rafaelbn
Cirrostratus
Dec 07, 2020
Hello Jaikumar! Thanks for the reply.

I will investigate it further. But will let you know.

Do you recommend any article/training that explain this? I wish to understand this type of thing better.

Thanks!
- jaikumar_f5
  Noctilucent
  Dec 07, 2020
  Here mate, hope this helps.
  
  SSL Profiles Part 1: Handshakes
  Troubleshooting SSL/TLS handshake failures
  Troubleshooting Handshake by Capturing Traffic
  Qualsys SSL lab test reports a result of DH 1024 bits WEAK
- rafaelbn
  Cirrostratus
  Dec 10, 2020
  Thanks Jaikumar!