Forum Discussion

Nimbostratus

Feb 26, 2019

Error with DHkey size during SSL handshake

My bigip version is 12.x. When my client tries to connect to the SSL VIP there is an error which is - "javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints" The ...

Nimbostratus

Mar 04, 2019

Per K16674, it appears the BIG-IP is hard-coded to use 1024-bit DHE keys. If you need something stronger, the recommendation is to configure your SSL profile to prefer ECDHE cipher suites, assuming your client's Java version supports that.

My organization decided to remove DHE cipher support from our clientssl profiles after the LogJam vulnerability was disclosed. We had already configured our clientssl profiles to prefer ECDHE cipher suites, and analysis of the clientssl profile statistics showed low usage of DHE cipher suites.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Error with DHkey size during SSL handshake

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

T4 and ALL tenant images

Unable to Forward APM and AFM Logs to AWS CloudWatch Using Telemetry Streaming

Managing iRules configuration

CPU load when Prometheus is scraping metrics from F5 BIG-IP LTM

[ASM] - How to disable the SQL injection attack signatures

Related Content

Ansible Error: An exception occurred during task execution

Prevent BIG-IP Edge Client VPN Driver to roll back (or forward) during PPP/RAS errors

SSL Profiles Part 1: Handshakes

TCP Internals: 3-way Handshake and Sequence Numbers Explained

Restricting number of concurrent TLS handshakes using Max Active Handshakes on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS