Error with DHkey size during SSL handshake

Question

My bigip version is 12.x. When my client tries to connect to the SSL VIP there is an error which is - 
"javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints"
The client is looking to connect with DH key size of 2048 bits. Is it possible to enforce a DHkey size using the SSL profile setting?&nbsp;

dennisjann · Answer

Per K16674, it appears the BIG-IP is hard-coded to use 1024-bit DHE keys. If you need something stronger, the recommendation is to configure your SSL profile to prefer ECDHE cipher suites, assuming your client's Java version supports that.&nbsp;
My organization decided to remove DHE cipher support from our clientssl profiles after the LogJam vulnerability was disclosed. We had already configured our clientssl profiles to prefer ECDHE cipher suites, and analysis of the clientssl profile statistics showed low usage of DHE cipher suites.&nbsp;

Forum Discussion

Error with DHkey size during SSL handshake

1 Reply

Recent Discussions

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Pricing when used with aws waf

iRule help masking IBM host URL/URI

Related Content

Ansible Error: An exception occurred during task execution

Prevent BIG-IP Edge Client VPN Driver to roll back (or forward) during PPP/RAS errors

SSL Profiles Part 1: Handshakes

TCP Internals: 3-way Handshake and Sequence Numbers Explained

Restricting number of concurrent TLS handshakes using Max Active Handshakes on BIG-IP