-
Ciphers available on the Citrix ADC appliances
-
Diffie-Hellman (DH) key generation and achieving PFS with DHE
-
Leverage hardware and software to improve ECDHE and ECDSA cipher performance
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Diffie-Hellman parameters generation and achieving PFS with DHE
The Diffie-Hellman (DH) key exchange is a way for two parties involved in an SSL transaction to agree upon a shared secret over an insecure channel. These parties have no prior knowledge about each other. This secret can be converted into cryptographic keying material for symmetric key cipher algorithms that require such a key exchange.
This feature is disabled by default. Configured the feature to support ciphers that use DH as the key exchange algorithm.
Note:
Generating 2048-bit DH parameters might take a long time (up to 30 minutes).
Generate DH parameters by using the CLI
At the command prompt, type the following command:
create ssl dhparam <dhFile> [<bits>] [-gen (2 | 5)]
<!--NeedCopy-->
Example:
create ssl dhparam Key-DH-1 512 -gen 2
<!--NeedCopy-->
Generate DH parameters by using the GUI
Navigate to Traffic Management > SSL and, in the Tools group, select Create Diffie-Hellman (DH) key, and Configure SSL DH Param.
Note:
For information about DH parameters, see Diffie-Hellman parameters.
Achieve perfect forward secrecy with DHE
Generating DH parameters is a CPU-intensive operation. In earlier releases, parameter generation, on a VPX appliance, took a long time because it was done in the software. Parameter generation is optimized by setting the dhKeyExpSizeLimit parameter. You can set this parameter for an SSL virtual server or an SSL profile and then bind the profile to a virtual server.
You can maintain perfect forward secrecy (PFS) on Citrix ADC MPX appliances by setting DH count equal to zero. As a result, DH parameters are generated for each transaction (minimum DHcount is 0) on Citrix ADC MPX appliances. Thee parameters are generated without a significant drop in performance, because the operation is optimized. Earlier, the minimum DH count allowed was 500. That is, you could not regenerate the key for up to 500 transactions.
Limitation:
On a Citrix ADC VPX appliance, if you set the DH count to zero, the DH parameters are not regenerated. Therefore, you must set the DH count to 500 to maintain PFS. The DH parameters are regenerated after 500 transactions.
Optimize DH parameters generation by using the CLI
At the command prompt, type commands 1 and 2, or type command 3:
1. add ssl profile <name> [-sslProfileType ( BackEnd | FrontEnd )] [-dhCount <positive_integer>] [-dh ( ENABLED | DISABLED) -dhFile <string>] [-dhKeyExpSizeLimit ( ENABLED | DISABLED)]
2. set ssl vserver <vServerName> [-sslProfile <string>]
<!--NeedCopy-->
3. set ssl vserver <vServerName> [-dh ( ENABLED | DISABLED) -dhFile <string>] [-dhCount <positive_integer>] [-dhKeyExpSizeLimit ( ENABLED | DISABLED )]
<!--NeedCopy-->
Optimize DH parameters generation by using the GUI
- Navigate to Traffic Management > Load Balancing > Virtual Servers, and open a virtual server.
- In the SSL Parameters section, select Enable DH Key Expire Size Limit.
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.