Bug ID 527238: Improvements to the Single DH use option in SSL profile

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4

Fixed In:
12.0.0

Opened: Jun 10, 2015
Severity: 3-Major

Symptoms

"Single DH use" option in Client SSL or Server SSL profile was ignored in some cases.

Impact

"Single DH use" was always effectively "on" for DHE-based ciphersuites in any Server SSL profile. Single DH use had no effect for ECDHE ciphersuites in any SSL profile or DHE ciphersuites in any ClientSSL profile. The main benefit of the Single DH use is to provide true/ultimate perfect forward secrecy. The aim of such high security posture is to be able to claim that no encryption key resides in memory on BIG-IP beyond a single TLS session. This security posture requires disabling of TLS session reuse, TLS session ticket, and the matching behaviour of any TLS client. The benefit of this fix is to primarily address these high security needs. DHE ciphersuites on BIG-IP use periodically re-generated custom DHE groups in any SSL profile. The use of custom DHE groups implies that the massive pre-computation needed to efficiently solve DH discrete logarithm problem (DH DLP) is only helpful for the lifetime of a given DHE group. Provided that the DH DLP is easy, "Single DH use" doesn't materially slow down the DLP attacks. ECDHE groups provide sufficient security today making ECDHE DLP infeasible. Please refer to 2015 LogJam attack for the background.

Conditions

"Single DH use" is set in Client SSL or Server SSL profile.

Workaround

No workaround.

Fix Information

"Single DH use" option in Client SSL or Server SSL profiles now works for all configurations except high availability configuration.

Behavior Change