Emad
May 21, 2015Cirrostratus
Logjam TLS Vulnerability
Any update from F5 about Logjam TLS Vulnerability. As default ssl configurations does contain DHE and EDCHE Key exchange.
See Solution 16674 for F5's official response.
It focuses specifically on the Export ciphers / 512bit DH groups issue. For those who read the full paper and are interested in how the F5s address the use of unique DH parameters and support of DH 2048bit groups -
It's my understanding that new DH parameters are generated on an hourly basis using the openssl method outlined at weakdh.com (but using 1024 instead of 2048).
To the best of my knowledge, none of the current F5s support greater than 1024bit DH groups. You can request this by openning a support case with F5 and asking for it to be tied to 435231 - "RFE: LTM Support for higher-bit DH keys"
Lastly, to reduce the impact of using 1024bit DH, enable the "DH Single Use" option to ensure new keys are generated for each connection.