Forum Discussion
Kevin_Stewart
Jul 29, 2016Employee
The short answer is yes and no.
F5 hasn't added support for 2048-bit DHE primes yet, so any sslscan or SSLLabs scan will downgrade your results because of what it believes is "weak DH".
However, if you understand the concepts behind "weak DH" and how such an exploit might occur, and also take into consideration that the F5 platform automatically rotates its 1024-bit primes often, the threats associates with weak DH are minimized.
If you just need to get an A+, then as of 12.1 and below you need to remove DHE from your cipher stack.