cancel
Showing results for 
Search instead for 
Did you mean: 

Diffie-Hellman "p" length 1024/2048 bits

rafaelbn
Cirrostratus
Cirrostratus

Hey folks! Spoiler: very tricky question ahead!

 

On diffie-hellman negotiation (TLSv1.2 and TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher-suite to be more specific), the length of p (aka the size 1024/2048 bits) is dependent of just configuration or could the certificate issued influece it?

 

I ask this because I have two VS that share the same cipher-suites on the client-ssl profile but negotiate different sizes: one is 1024 and the other is 2048. And I read this K82014843 that BIG-IP is not supposed to use 2048 (as in it's not implemented) and to my surprised I'm getting 2048bits DH on my tests.

 

Any tips for me?

 

Thanks!

 

1 ACCEPTED SOLUTION

When it comes to handshake, the ciphers alone play role in negotiation. The certificate has no play here.

The DHE suites are 1024 alone in F5, if you had seen a 2048 bit, It should have been ECDHE.

 

Can you put a logging rule to confirm if it indeed was DHE suite and not ECDHE ?

View solution in original post

4 REPLIES 4

When it comes to handshake, the ciphers alone play role in negotiation. The certificate has no play here.

The DHE suites are 1024 alone in F5, if you had seen a 2048 bit, It should have been ECDHE.

 

Can you put a logging rule to confirm if it indeed was DHE suite and not ECDHE ?

Hello Jaikumar! Thanks for the reply.

 

I will investigate it further. But will let you know.

 

Do you recommend any article/training that explain this? I wish to understand this type of thing better.

 

Thanks!

 

Thanks Jaikumar!