cancel
Showing results for 
Search instead for 
Did you mean: 

How to Deny the Diffie-Hellman Key Exchange

Highlighted
Occasional Contributor

How to Deny the Diffie-Hellman Key Exchange

I would like to deny this because they are considered weak ciphers because of the DHE component.

Any step by step guide on this

thanks again in advance

6 REPLIES 6
Community Manager

Re: How to Deny the Diffie-Hellman Key Exchange

Are we looking to remove DHE completely or just 1024-bit and lower?
Occasional Contributor

Re: How to Deny the Diffie-Hellman Key Exchange

Hi we would like to remove DHE altogether (WOULD THIS BE AN ISSUE?) and use the following:

TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

thanks
Community Manager

Re: How to Deny the Diffie-Hellman Key Exchange

Hello NTL75,

Currently, there are no known vulnerabilities with ECDHE cipher suites. We plan to add a feature to allow customer's to select cipher suites they would like to support in 8.2RX. This is planned for the later part of Q4 2015.
Occasional Contributor

Re: How to Deny the Diffie-Hellman Key Exchange

Hi, Many thanks for your reply.
So at present there is no way for me to achieve what I had planned?

thanks
Not applicable

Re: How to Deny the Diffie-Hellman Key Exchange

Hi ntl75,

A new feature to disable 1024 bit DH key exchange will be added in new releases of code. Please see the "Logjam" section on the following security advisory for more information: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40002

Thanks,
Pulse Secure PSIRT
Community Manager

Re: How to Deny the Diffie-Hellman Key Exchange

Correct. There is no current way to specifically disable all ECDHE and DHE cipher suites. However, due to the recent concerns with 1024-bit DHE cipher suites and below, we will be making a change to disable 1024-bit DHE cipher in the next releases.