LogJams, DHE Parameters, and Other Obstacles to TLS Excellence

If you're presently volunteering to wear the hat of “SSL/TLS Vulnerability Manager”, then you’ve come to the realization that patching one vulnerability often raises others. In wake of revelations ab...
Published Jul 07, 2015
Version 1.0
security
TMOS
BAMcHenry's avatar
Ret. Employee
Brian McHenry leads product management for Security solutions on the BIG-IP, NGINX, and Distributed Cloud data planes. In this role, he sets strategy for the growing $750M annual business for the Advanced WAF, SSL Orchestrator, Access Policy Manager, and NGINX App Protect products. McHenry takes pride in enabling F5’s customers to be successful as well as in improving their security postures to make the Internet a safer place. McHenry works across multiple groups at F5, including the Strategy Office, Office of the CTO, Marketing, Services, Support, and Sales. He is also a published writer and a frequent speaker at infosec conferences and events. He is a co-founder of Security B-Sides NYC, and committed to giving back to the Infosec community.
View Profile
BAMcHenry's avatar
Ret. Employee
Brian McHenry leads product management for Security solutions on the BIG-IP, NGINX, and Distributed Cloud data planes. In this role, he sets strategy for the growing $750M annual business for the Advanced WAF, SSL Orchestrator, Access Policy Manager, and NGINX App Protect products. McHenry takes pride in enabling F5’s customers to be successful as well as in improving their security postures to make the Internet a safer place. McHenry works across multiple groups at F5, including the Strategy Office, Office of the CTO, Marketing, Services, Support, and Sales. He is also a published writer and a frequent speaker at infosec conferences and events. He is a co-founder of Security B-Sides NYC, and committed to giving back to the Infosec community.
View Profile
BAMcHenry's avatar
BAMcHenry
Ret. Employee
Mar 07, 2018

James, DH parameter rotation is on by default since F5 first implemented DHE ciphers (in TMOS v11.4.0). The rotation occurs every hour, though this fact is not publicly documented, as far as I can tell.

 

The Single DH option is also available in the client SSL profile. Single DH forces the generation of a new parameter on a per-handshake basis. This does incur a non-trivial amount of additional processing overhead, but can be useful in very high security environments.

 

Hope this helps.