Forum Discussion
jamesdris
Nimbostratus
NimbostratusError with DHkey size during SSL handshake
My bigip version is 12.x. When my client tries to connect to the SSL VIP there is an error which is -
"javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints"
The ...
DennisJannNimbostratus
NimbostratusPer K16674, it appears the BIG-IP is hard-coded to use 1024-bit DHE keys. If you need something stronger, the recommendation is to configure your SSL profile to prefer ECDHE cipher suites, assuming your client's Java version supports that.
My organization decided to remove DHE cipher support from our clientssl profiles after the LogJam vulnerability was disclosed. We had already configured our clientssl profiles to prefer ECDHE cipher suites, and analysis of the clientssl profile statistics showed low usage of DHE cipher suites.
