Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

How to set diffie-hellman to 2048 bits

Hi everyone,

Anyone know how to set the Diffie-hellman to 2048 bit in the client side profile?

Thank you.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

big-ip does not support DH 2K. It is CPU intensive and has drawbacks. Use ECDHE instead. They are less CPU intensive and providing same level of security

0
Comments on this Answer
Comment made 4 months ago by Mohammed M Irfan 116

Hi Surgeon,

If BIG-IP does not support DH 2048, then can we remove the DH less that 1024 ciphers.

Security reason, we need to block or give the stronger Diffie-Hellman.

[root@BIG-IP_A_v13:Active:Standalone] config # tmm --clientciphers DEFAULT | grep DHE
0: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
1: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES       SHA     ECDHE_RSA
2: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA
3: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
4: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
5: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
6: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA
7: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA
8: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
9: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
28: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
29: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1    Native  AES       SHA     ECDHE_ECDSA
30: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
31: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
32: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
33: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
34: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1    Native  AES       SHA     ECDHE_ECDSA
35: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
36: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
37: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
38:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  EDH/RSA
39:    51  DHE-RSA-AES128-SHA               128  TLS1    Native  AES       SHA     EDH/RSA
40:    51  DHE-RSA-AES128-SHA               128  TLS1.1  Native  AES       SHA     EDH/RSA
41:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES       SHA     EDH/RSA
42:    51  DHE-RSA-AES128-SHA               128  DTLS1   Native  AES       SHA     EDH/RSA
43:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  Native  AES       SHA256  EDH/RSA
44:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  EDH/RSA
45:    57  DHE-RSA-AES256-SHA               256  TLS1    Native  AES       SHA     EDH/RSA
46:    57  DHE-RSA-AES256-SHA               256  TLS1.1  Native  AES       SHA     EDH/RSA
47:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES       SHA     EDH/RSA
48:    57  DHE-RSA-AES256-SHA               256  DTLS1   Native  AES       SHA     EDH/RSA
49:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  EDH/RSA
50:    69  DHE-RSA-CAMELLIA128-SHA          128  TLS1    Native  CAMELLIA  SHA     EDH/RSA
51:    69  DHE-RSA-CAMELLIA128-SHA          128  TLS1.1  Native  CAMELLIA  SHA     EDH/RSA
52:    69  DHE-RSA-CAMELLIA128-SHA          128  TLS1.2  Native  CAMELLIA  SHA     EDH/RSA
53:   136  DHE-RSA-CAMELLIA256-SHA          256  TLS1    Native  CAMELLIA  SHA     EDH/RSA
54:   136  DHE-RSA-CAMELLIA256-SHA          256  TLS1.1  Native  CAMELLIA  SHA     EDH/RSA
55:   136  DHE-RSA-CAMELLIA256-SHA          256  TLS1.2  Native  CAMELLIA  SHA     EDH/RSA

Can help to block/disabled at f5 that no client can use DH less than 1024bit

Thanks

Mohammed

0
Comment made 4 months ago by surgeon
0