Forum Discussion
2 Replies
- natheCirrocumulus
From Wikipedia
In Transport Layer Security (TLS), Diffie–Hellman key exchange-based PFSs (DHE-RSA, DHE-DSA) and elliptic curve Diffie–Hellman-based PFSs (ECDHE-RSA, ECDHE-ECDSA) are available.
To achieve this on the BIG-IP then you'll need to amend the Client SSL profile assigned to your virtual servers and prioritise Diffie-Hellman or Elliptic curve Diffie Hellman (or exclude all others of course). There is a lengthy DevCentral post here which will help you: Enabling PFS
Hope this helps,
N
Hi aalkhuja,
as Nathan has pointed out you have to a.) either remove every non PFS enabled algorythms or b.) you have to prioritise the PFS enabled algorythms in your Client-SSL-Profile chipher suite.
You may check out a posting of mine to build a solid chipher suite string to achive a good compatibility (legacy algorythms for Windows XP / IE8 are still supported) while prefering PFS enabled algorythms for the PFS enabled browsers.
HowTo: Getting an awesome Qualys SSL-Labs rating (Feb 2017 Update)
Cheers, Kai