Tag Archives: OpenSSL

F5 Single DH use

F5 SSL Profile: “Single DH use” not working?

In the paper of the Logjam attack, a sentence about the F5 load balancers confused me a bit: “The F5 BIG-IP load balancers and hardware TLS frontends will reuse g^{b} unless the “Single DH” option is checked.” This sounds like “it does NOT use a fresh/ephemeral diffie-hellman key for new connections”. I always believed, that when a cipher suite with EDH/DHE is chosen, the diffie-hellman key exchange always generates a new b for computing g^{b}. Hm.

Therefore, I tested this “Single DH use” option on my lab F5 unit, in order to find out whether the same public key (as noted in Wireshark) is used for more than one session.

Continue reading F5 SSL Profile: “Single DH use” not working?

Apache SSL Cipher Suites

Apache SSL Cipher Suites: Perfect Forward Secrecy

I was interested to tune my https sites with Apache to support only cipher suites that use the ephemeral Diffie-Hellman key exchange = perfect forward secrecy. But after searching a while through the Internet, only SSLCipherSuite with a few concrete algorithms were presented, while I wanted to use a more generic option such as known from “!MD5”. Here it is:

Continue reading Apache SSL Cipher Suites: Perfect Forward Secrecy