Forum Discussion
SSL: Restrict Key Exchange Length
Hi, any idea how to restrict Key exchange protocols that are based on DHE or RSA protocols with keys not less than 2048-bits in length?
- ekaleidoCirrus
The Cipher string in your SSL profile. You'll have to change the dropdown to "Advanced" to see it, and it is set to "DEFAULT" unless you modify it. You can get the cipher suites available in DEFAULT with the following command:
tmm --clientciphers 'DEFAULT'
Fro there you can include or exclude whatever you want.
- IheartF5_45022Nacreous
Unfortunately you can't - F5 only supports 1024 bits for DHE. In real-life terms this should be enough (unless the Russians are after you), however if scans are complaining then you'll need to disable DHE ciphers and use only ECDHE instead.
- refra_151287Cirrus
Thanks a lot, how can I know the key length for the other algorithms?
- IheartF5_45022Nacreous
DHE (Diffie-Hellman Ephemeral) key exchange uses prime numbers. The number of bits (which is what we are talking about above) used refers to the length of the prime numbers used within the exchange, not to the key itself. A 1024b prime is considered breakable by a nation-state, so you will get pinged by most vulnetability scanners if you are using this - 2048b for DHE however is not considered breakable.
ECDHE (Elliptic Curve DHE) is a variant of DHE using elliptic curve cryptography. It uses only 128b however is not considered breakable. So in other words - you shouldn't worry (and scans won't either) about the 'key' length if you only have ECDHE ciphers enabled.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com