refra_151287
Cirrus
CirrusSSL: Restrict Key Exchange Length
Hi, any idea how to restrict Key exchange protocols that are based on DHE or RSA protocols with keys not less than 2048-bits in length?
Forum Discussion
4 Replies
ekaleidoThe Cipher string in your SSL profile. You'll have to change the dropdown to "Advanced" to see it, and it is set to "DEFAULT" unless you modify it. You can get the cipher suites available in DEFAULT with the following command:
tmm --clientciphers 'DEFAULT'Fro there you can include or exclude whatever you want.
IheartF5_45022Nacreous
Unfortunately you can't - F5 only supports 1024 bits for DHE. In real-life terms this should be enough (unless the Russians are after you), however if scans are complaining then you'll need to disable DHE ciphers and use only ECDHE instead.
refra_151287Thanks a lot, how can I know the key length for the other algorithms?
- IheartF5_45022
DHE (Diffie-Hellman Ephemeral) key exchange uses prime numbers. The number of bits (which is what we are talking about above) used refers to the length of the prime numbers used within the exchange, not to the key itself. A 1024b prime is considered breakable by a nation-state, so you will get pinged by most vulnetability scanners if you are using this - 2048b for DHE however is not considered breakable.
ECDHE (Elliptic Curve DHE) is a variant of DHE using elliptic curve cryptography. It uses only 128b however is not considered breakable. So in other words - you shouldn't worry (and scans won't either) about the 'key' length if you only have ECDHE ciphers enabled.