Remediating Logjam: an iRule Countermeasure

#SSL #LOGJAM Professor Matthew Green of John Hopkins announced a weakness in the SSL Protocol and has given it the name Logjam (see weakdh.org). With Logjam, a malicious attacker can get access to...
Published May 23, 2015
Version 1.0
logjam
security
ssl
EvanH's avatar
EvanH
Icon for Nimbostratus rankNimbostratus
May 26, 2015
I appreciate the update and on how LogJam impacts F5s. However, I'd like to request that you expand on the statement "Our NATIVE cryptosystem uses custom groups for ephemeral key generation". Does this mean the same custom DH groups are used for every F5 device? Is it possible to generate new custom groups? Lastly, the LogJam paper also calls out that 1024bit DH groups are vulnerable to state sponsored actors and websites who include that in their threat model should be using 2048bit DH. Unfortunately, there is no mention of this in your article and seems to be consistently under played. I'd urge others who are concerned about the lack of greater than 1024bit DH in F5s to add their names to RFE 435231 - "RFE: LTM Support for higher-bit DH keys"