Weak Diffie-Hellman - Custom DH Parameters

rwilliams

Hi All,

I have just implemented some 3030S and migrated some services across in our production environment. The 3030S terminate SSL for the backend services. Out of curiosity I ran some SSL LABS test against the services and they all flagged errors with weak Diffie-Hellman key Exchange Parameters and therefore capped the score at a B.

Where as this is a big improvement on our old Cisco CSS Load Balancers which scored an F due the the fact they did not support anything above SSL v3.0 due their age. I would like to see the score as an A.

I believe the weak DH results are sue to it using common DH primes as the SSL Lab reports later on in the results, it then suggests using custom DH parameters.

My question is - How if possible can I use custom DH parameters in my SSL templates for the Services?

Kind Regards

Ryan

diederik

You can configure DH parameters in the Client template through the CLI.

If you want more information about getting an A or even A+ rating, support has a document that describes how.

Greetings,

Diederik

rwilliams

Hi Diederik,

Thanks for your reply. Do you have the location of the document in the support area for getting a A or A+ rating? I have had a look around and I can't seem to locate it.

Thanks

Ryan

diederik

Hello Ryan,

No, I'm afraid this information is not documented in a way we can publish it, you really have to open a case with support so they can help you out.

Greetings,

Diederik

rwilliams

Hi Diederik,

Ok thank you for your help and the information. I will look at raising a support call to get hold of the document.

Regards

Ryan