Enable Forward Secrecy

Question

Hi all&nbsp;
How to enable forward secrecy on a specific virtual server?&nbsp;
Thank you&nbsp;
Ammar&nbsp;

nathe · Answer

From Wikipedia In Transport Layer Security (TLS), Diffie–Hellman key exchange-based PFSs (DHE-RSA, DHE-DSA) and elliptic curve Diffie–Hellman-based PFSs (ECDHE-RSA, ECDHE-ECDSA) are available.
To achieve this on the BIG-IP then you'll need to amend the Client SSL profile assigned to your virtual servers and prioritise Diffie-Hellman or Elliptic curve Diffie Hellman (or exclude all others of course). There is a lengthy DevCentral post here which will help you: Enabling PFS
Hope this helps,
N

kai_wilke · Answer

Hi aalkhuja,&nbsp;
as Nathan has pointed out you have to a.) either remove every non PFS enabled algorythms or b.) you have to prioritise the PFS enabled algorythms in your Client-SSL-Profile chipher suite.&nbsp;
You may check out a posting of mine to build a solid chipher suite string to achive a good compatibility (legacy algorythms for Windows XP / IE8 are still supported) while prefering PFS enabled algorythms for the PFS enabled browsers.&nbsp;
HowTo: Getting an awesome Qualys SSL-Labs rating (Feb 2017 Update)&nbsp;
https://devcentral.f5.com/questions/howto-getting-an-awesome-qualys-ssl-labs-rating-feb-2017-update-51489&nbsp;
Cheers, Kai&nbsp;

Forum Discussion

Enable Forward Secrecy

2 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Lightboard Lessons: Perfect Forward Secrecy

Lightboard Lesson: Perfect Forward Secrecy Inspection Visibility

Heartbleed and Perfect Forward Secrecy

Enable telnet on SSH

Bleichenbacher vs. Forward Secrecy: How much of your TLS is still RSA?