Weak Diffie-Hellman - Custom DH Parameters
rwilliams
Member ✭
Hi All,
I have just implemented some 3030S and migrated some services across in our production environment. The 3030S terminate SSL for the backend services. Out of curiosity I ran some SSL LABS test against the services and they all flagged errors with weak Diffie-Hellman key Exchange Parameters and therefore capped the score at a B.
Where as this is a big improvement on our old Cisco CSS Load Balancers which scored an F due the the fact they did not support anything above SSL v3.0 due their age. I would like to see the score as an A.
I believe the weak DH results are sue to it using common DH primes as the SSL Lab reports later on in the results, it then suggests using custom DH parameters.
My question is - How if possible can I use custom DH parameters in my SSL templates for the Services?
Kind Regards
Ryan
I have just implemented some 3030S and migrated some services across in our production environment. The 3030S terminate SSL for the backend services. Out of curiosity I ran some SSL LABS test against the services and they all flagged errors with weak Diffie-Hellman key Exchange Parameters and therefore capped the score at a B.
Where as this is a big improvement on our old Cisco CSS Load Balancers which scored an F due the the fact they did not support anything above SSL v3.0 due their age. I would like to see the score as an A.
I believe the weak DH results are sue to it using common DH primes as the SSL Lab reports later on in the results, it then suggests using custom DH parameters.
My question is - How if possible can I use custom DH parameters in my SSL templates for the Services?
Kind Regards
Ryan
Tagged:
0
Comments
If you want more information about getting an A or even A+ rating, support has a document that describes how.
Greetings,
Diederik
Thanks for your reply. Do you have the location of the document in the support area for getting a A or A+ rating? I have had a look around and I can't seem to locate it.
Thanks
Ryan
No, I'm afraid this information is not documented in a way we can publish it, you really have to open a case with support so they can help you out.
Greetings,
Diederik
Ok thank you for your help and the information. I will look at raising a support call to get hold of the document.
Regards
Ryan