Forum Discussion
NimbostratusWeak DH Keys solved by !DHE?
Adding !DHE to the below F5 SSL profile cipher string (11.X & 12.X) resolved the below SSL Labs issue.
DEFAULT:!LOW:!RC4:!MD5:!SHA1:!ADH:!DHE:!DES:!3DES:!EXP
Resolved: Weak Diffie-Hellman (DH) key exchange parameters. (Grade capped to B)
Unlike !DH, this option allows below Diffie Hellman ciphers.
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp384r1 (eq. 7680 bits RSA) FS 256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp384r1 (eq. 7680 bits RSA) FS 128
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS 256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS 128
Please confirm the above ECDHE_RSA implementations are immune to the weak DH key exchange risk.
2 Replies
dmezack_359144According to answers on [What is ECDHE-RSA](o https://security.stackexchange.com/questions/14731/what-is-ecdhe-rsa):
- “ECDHE suites use elliptic curve diffie-hellman key exchange, where DHE suites use normal diffie-hellman. This exchange is signed with RSA, in the same way in both cases”
- "ECDHE is also resistant to recently published attacks against traditional DH cipher-suites in TLS"
It would be valuable to have F5 confirm if !DHE sufficiently addresses this risk by using elliptic curfe diffie-hellman key exchange with lower "EC" key sizes required.
JGCumulonimbus
Please see https://devcentral.f5.com/questions/logjam-tls-vulnerability.
And DHE is not really an issue here, see: https://devcentral.f5.com/Portals/0/Cache/Pdfs/2807/logjams-dhe-parameters-and-other-obstacles-to-tls-excellence.pdf. SSLabs can only test the key size, and not F5's mitigation by way of regularly updating the ephemeral key.
