Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2141
Views
10
Helpful
2
Replies

ECDHE on incoming connections or DH with 2048 bits (group 14)

Go to solution
Marijo Bartakovic
Level 1
Level 1

‎01-20-2017 06:08 AM

Hi all,

maybe I'm wrong, but I have a question regarding the ssl configuration, which can be made on a ESA.

1. As far as I understood the information from this Technote, PFS on ESA, it is not possible to have ECDHE cipher suites working on the incoming listeners, but for outgoing. This means on the other hand, that TLS encryption between 2 ESAs, will not be capable of using ECDHE for key exchange.

Note: The ESA acting as TLS server (inbound traffic) currently does not support Elliptic Curve Diffie Hellman for Key Exchange (ECDHE) and Elliptic Curve Digital Signature Algorithm (ECDSA) Certificates.

2. This would be ok, if I would have the possibility to use a higher DH group than 2, for DHE cipher suites. In other words, the currently enabled Server Temporary Key Size is 1024 bits, which is considered to be breakable.

Questions:

1. Is there any plan to enable ECDHE for inbound connections in future?

2. Where can I change the DH group?

Regards,

Marijo

5 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎01-20-2017 07:58 AM

Hi Marijo,

Both queries are currently being reviewed by the development team as part of the below feature requests.

1.
ENH add support for ECDHE for Inbound SMTP
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz60071/?reffering_site=dumpcr

2.
Allow regenerate DH-2048, 4096 bit Diffie Hellman Safe Prime / dhparam
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux76085/?reffering_site=dumpcr

Both currently do not have an ETA, however you can add yourself to be notified once there is a fix or further workaround available.

Thanks
Libin Varghese

View solution in original post

2 Replies 2

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎01-20-2017 07:58 AM

Hi Marijo,

Both queries are currently being reviewed by the development team as part of the below feature requests.

1.
ENH add support for ECDHE for Inbound SMTP
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz60071/?reffering_site=dumpcr

2.
Allow regenerate DH-2048, 4096 bit Diffie Hellman Safe Prime / dhparam
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux76085/?reffering_site=dumpcr

Both currently do not have an ETA, however you can add yourself to be notified once there is a fix or further workaround available.

Thanks
Libin Varghese

Go to solution
Marijo Bartakovic
Level 1
Level 1
In response to Libin Varghese

‎01-23-2017 02:35 AM

Hi Libin,

thanks for your answer. I've subscribed to the bugs you've mentioned.

Regards,

Marijo

0 Helpful
Customers Also Viewed These Support Documents