How can we help?

The latest application delivery knowledge and expertise at your fingertips.

4k SSL Diffie-Hellman Key Exchange Size

This article relates to LoadMaster firmware version 7.2.53.

By default, the LoadMaster uses a 2048-bit key size for DHE key exchanges. Some government agencies are now requiring 4096-bit keys and this capability has been added to LoadMaster.

As of LoadMaster firmware version 7.2.53, it is possible to select 4096 as a value in the Size of SSL Diffie-Hellman Key Exchange drop-down list. This field is available in the LoadMaster User Interface (UI) under System Configuration > Miscellaneous Options > Network Options.

After upgrading from a version prior to 7.2.53, it can take up to 30 minutes (on smaller models) to generate the 4k key. If you cannot see the 4096 option in the drop-down list 30 minutes after upgrading, try logging in to the LoadMaster again.

As with any update, an upgrade to this release should be done during a maintenance interval; and this is particularly true of version 7.2.53 because of the increased strength of DHE key exchange keys for SSL/TLS to 4096.

During the upgrade from a version prior to 7.2.53, a new 4096-bit DHE key is generated. On smaller LoadMasters, this can lead to significant CPU and memory consumption that could impact regular Virtual Service traffic. So, Kemp strongly recommends that this update be performed in a maintenance interval.

Performance of using the 4k key will be at most 25% of the performance of using a 2K key.

RESTful Application Programming Interface (API) Details

To retrieve the current value of the dhkeysize parameter, run the following command:

/access/get?param=dhkeysize

To set the dhkeysize parameter to 4k, run the following command:

/access/set?param=dhkeysize&value=4096

For further details on the RESTful API in general, refer to the Long Term Support (LTS) RESTful API Interface Description document.


Comments