Error with DHkey size during SSL handshake

Question

My bigip version is 12.x. When my client tries to connect to the SSL VIP there is an error which is - 
"javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints"
The client is looking to connect with DH key size of 2048 bits. Is it possible to enforce a DHkey size using the SSL profile setting?&nbsp;

dennisjann · Answer

Per K16674, it appears the BIG-IP is hard-coded to use 1024-bit DHE keys. If you need something stronger, the recommendation is to configure your SSL profile to prefer ECDHE cipher suites, assuming your client's Java version supports that.&nbsp;
My organization decided to remove DHE cipher support from our clientssl profiles after the LogJam vulnerability was disclosed. We had already configured our clientssl profiles to prefer ECDHE cipher suites, and analysis of the clientssl profile statistics showed low usage of DHE cipher suites.&nbsp;

Forum Discussion

Error with DHkey size during SSL handshake

Recent Discussions

AS3 Limitations

Diameter iRules attachment?

Help needed with iRule (connection closed log )

Use of SSL Decryption.

VLAN Failsafe Functionality

Related Content

Prevent BIG-IP Edge Client VPN Driver to roll back (or forward) during PPP/RAS errors

SSL Profiles Part 1: Handshakes

TCP Internals: 3-way Handshake and Sequence Numbers Explained

Restricting number of concurrent TLS handshakes using Max Active Handshakes on BIG-IP

HTTPS - Monitor SSL Handshake

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS