For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dmezack_359144's avatar
dmezack_359144
Icon for Nimbostratus rankNimbostratus
Apr 19, 2018

Weak DH Keys solved by !DHE?

Adding !DHE to the below F5 SSL profile cipher string (11.X & 12.X) resolved the below SSL Labs issue.   DEFAULT:!LOW:!RC4:!MD5:!SHA1:!ADH:!DHE:!DES:!3DES:!EXP   Resolved: Weak Diffie-Hellman (...
BIG-IP
security
dmezack_359144's avatar
dmezack_359144
Icon for Nimbostratus rankNimbostratus
Apr 19, 2018

According to answers on [What is ECDHE-RSA](o https://security.stackexchange.com/questions/14731/what-is-ecdhe-rsa):

 

  • “ECDHE suites use elliptic curve diffie-hellman key exchange, where DHE suites use normal diffie-hellman. This exchange is signed with RSA, in the same way in both cases”
  • "ECDHE is also resistant to recently published attacks against traditional DH cipher-suites in TLS"

It would be valuable to have F5 confirm if !DHE sufficiently addresses this risk by using elliptic curfe diffie-hellman key exchange with lower "EC" key sizes required.