For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jamesdris's avatar
jamesdris
Icon for Nimbostratus rankNimbostratus
Feb 27, 2019

Error with DHkey size during SSL handshake

My bigip version is 12.x. When my client tries to connect to the SSL VIP there is an error which is - "javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints" The ...
application delivery
BIG-IP
client ssl profile
DennisJann's avatar
DennisJann
Icon for Nimbostratus rankNimbostratus
Mar 05, 2019

Per K16674, it appears the BIG-IP is hard-coded to use 1024-bit DHE keys. If you need something stronger, the recommendation is to configure your SSL profile to prefer ECDHE cipher suites, assuming your client's Java version supports that.

 

My organization decided to remove DHE cipher support from our clientssl profiles after the LogJam vulnerability was disclosed. We had already configured our clientssl profiles to prefer ECDHE cipher suites, and analysis of the clientssl profile statistics showed low usage of DHE cipher suites.