Forum Discussion

Icon for Nimbostratus rank

Nimbostratus

Jul 22, 2015

perfect forward secrecy

Can someone pls help me with the list of DHE cipher suites supports perfect forward secrecy?

application delivery

Kevin_Stewart
Employee
Jul 23, 2015
DHE in and of itself provides PFS. If you do the following at the command line:

tmm --clientciphers 'DHE'

you'll see a bunch of DHE cipher suites from the NATIVE stack. Some of these are for SSLv3 and use DES, so probably best to trim that list a bit. It's also highly recommended these days to switch to ECDHE (also PFS). BIG-IP doesn't support DHE beyond 1024 bits, and even if it did you'd find more clients that support ECDHE than DHE with 2048, plus DHE 2048 is computationally expensive compared to elliptic curve.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming