LogJams, DHE Parameters, and Other Obstacles to TLS Excellence
If you're presently volunteering to wear the hat of “SSL/TLS Vulnerability Manager”, then you’ve come to the realization that patching one vulnerability often raises others. In wake of revelations ab...
Published Jul 07, 2015
Version 1.0
James, DH parameter rotation is on by default since F5 first implemented DHE ciphers (in TMOS v11.4.0). The rotation occurs every hour, though this fact is not publicly documented, as far as I can tell.
The Single DH option is also available in the client SSL profile. Single DH forces the generation of a new parameter on a per-handshake basis. This does incur a non-trivial amount of additional processing overhead, but can be useful in very high security environments.
Hope this helps.