LogJams, DHE Parameters, and Other Obstacles to TLS Excellence
Published Jul 07, 2015
Version 1.0Was this article helpful?
Where can I get the technical details of DH parameter rotation that you mention above? Some details around how often and the fact it is on by default (and which versions it is on by default for - if that’s applicable)
EDIT: Found it after Googling.
The particular support article that details how often is K16674: TLS vulnerability CVE-2015-4000
It states:
The BIG-IP system, by default, uses custom DHE groups that are unique per install and are not static. These custom groups are also refreshed on a regular basis with the interval of regeneration varied by version. The interval is every month on BIG-IP 10.1.0 thru 11.3.0, and every hour starting in BIG-IP 11.4.0. This is enabled by default.