Home Tech Networks Fixing SSL Labs Grade on F5 Big-IP – ECDH public server param reuse

Fixing SSL Labs Grade on F5 Big-IP – ECDH public server param reuse

By on ( 6 )

f5-networks-logo

As you might have noticed from the title, this is a bit of a weird one. In our last installment we managed to get our grade up to A from B finally, and while we’re not mounting our final assault for getting that A+ grade, I’d thought we’d mop up some of the more esoteric errors of the SSL Labs test. This isn’t a “score killer” so to say, and it doesn’t even seem to affect the final score. It’s also not very aptly named, since “ECDH public server param reuse” isn’t quite descriptive. I’ve tried researching what it exactly references to, but I’m drawing somewhat of a blank. As far as I’ve understood it, it pertains to the server reusing part of session keys when establishing new sessions, with the intent of saving some processing time by not having to regenerate these. However, I’ve not been able to find exactly why this is bad (even though generally speaking the term “reuse” shouldn’t be within a 10 foot radius of anything having to do with cryptography, just ask the WWII German Navy).

param reuse

Nothing worse than a glaring warning

Anyhow, the folks over at SSL Labs are a lot smarter than I am, and it’s an easy fix on an F5 Big-IP, so we’ll fix it so we don’t have that error glaring at us on the test report. Also, it saves me from figuring out how to implement HSTS without breaking stuff for another week, so that’s a personal win for me as well.

Again, we’re going to modify our SSL Client Profile, so head over to Local Traffic -> Profiles -> SSL -> Client and select the Profile you’d like to edit.

F5_SSL_Profiles

Enable the Advanced settings, and select the Options List as Custom for the profile

Single DH1

Find Single DH use under Available Options, select it and click Enable. It should jump up to the Enabled Options list.

Single DH2

That’s it, save your profile and that pesky error should be gone!

Single DH3

Huzzah, no error!

Also check out the other instalments of this series:

Fixing SSL Labs Grade on F5 Big-IP – Certificate Chains
Fixing SSL Labs Grade on F5 Big-IP – Weak Cipher Suites
Fixing SSL Labs Grade on F5 Big-IP – Disabling TLSv1 and TLSv1.1

Categories: Networks, Tech

Tags: , , , , , , ,

6 replies

Trackbacks

  1. Fixing SSL Labs Grade on F5 Big-IP – Disabling TLSv1 and TLSv1.1 – Grumpy Techie
  2. Fixing SSL Labs Grade on F5 Big-IP – Weak Cipher Suites – Grumpy Techie
  3. Fixing SSL Labs Grade on F5 Big-IP – Certificate Chains – Grumpy Techie
  4. Fixing SSL Labs Grade on F5 Big-IP – Enabling TLSv1.3 – Grumpy Techie
  5. Fixing SSL Labs Grade on F5 Big-IP – Custom Cipher Groups – Grumpy Techie
  6. Fixing SSL Labs Grade on F5 Big-IP – Enabling HSTS – Grumpy Techie

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: