Product documentation
Citrix ADC
Current Release 13.0 12.1 11.1
View PDF

Diffie-Hellman parameters generation and achieving PFS with DHE

September 21, 2020
Contributed by:
S S

The Diffie-Hellman (DH) key exchange is a way for two parties involved in an SSL transaction to agree upon a shared secret over an insecure channel. These parties have no prior knowledge about each other. This secret can be converted into cryptographic keying material for symmetric key cipher algorithms that require such a key exchange.

This feature is disabled by default. Configured the feature to support ciphers that use DH as the key exchange algorithm.

Note:

Generating 2048-bit DH parameters might take a long time (up to 30 minutes).

Generate DH parameters by using the CLI

At the command prompt, type the following command:

create ssl dhparam  [] [-gen (2 | 5)]

Example:

create ssl dhparam Key-DH-1 512 -gen 2

Generate DH parameters by using the GUI

Navigate toTraffic Management>SSLand, in theToolsgroup, selectCreate Diffie-Hellman (DH) key, andConfigure SSL DH Param.

Note:

For information about DH parameters, seeDiffie-Hellman parameters.

Achieve perfect forward secrecy with DHE

Generating DH parameters is a CPU-intensive operation. In earlier releases, parameter generation, on a VPX appliance, took a long time because it was done in the software. Parameter generation is optimized by setting thedhKeyExpSizeLimitparameter. You can set this parameter for an SSL virtual server or an SSL profile and then bind the profile to a virtual server.

You can maintain perfect forward secrecy (PFS) on Citrix ADC MPX appliances by setting DH count equal to zero. As a result, DH parameters are generated for each transaction (minimumDHcountis 0) on Citrix ADC MPX appliances. Thee parameters are generated without a significant drop in performance, because the operation is optimized. Earlier, the minimum DH count allowed was 500. That is, you could not regenerate the key for up to 500 transactions.

On a Citrix ADC VPX appliance, you can generate DH parameters for every 500 transaction at the minimum (DHcount= 500). If you setDHcountequal to 0, then the DH parameters are not regenerated.

Limitation:

You cannot achieve PFS in VPX today with DH ciphers.

Optimize DH parameters generation by using the CLI

At the command prompt, type commands 1 and 2, or type command 3:

1. add ssl profile  [-sslProfileType ( BackEnd | FrontEnd )] [-dhCount ] [-dh ( ENABLED | DISABLED) -dhFile ] [-dhKeyExpSizeLimit ( ENABLED | DISABLED)] 2. set ssl vserver  [-sslProfile ] 
3. set ssl vserver  [-dh ( ENABLED | DISABLED) -dhFile ] [-dhCount ] [-dhKeyExpSizeLimit ( ENABLED | DISABLED )]

Optimize DH parameters generation by using the GUI

  1. Navigate toTraffic Management>Load Balancing>Virtual Servers, and open a virtual server.
  2. In theSSL Parameterssection, selectEnable DH Key Expire Size Limit.
Diffie-Hellman parameters generation and achieving PFS with DHE
September 21, 2020
Contributed by:
S S
September 21, 2020
Contributed by:
S S

In this article

网站反馈 | Privacy and legal terms | Cookie preferences | Consent settings
© 1999-Citrix Systems, Inc. All rights reserved.