I have collected the details from doc and you can verify what is DH. Once you configure the cipher, you can check the accepted ciphers in CLI and it will be helpfull to check strong ciphers.
How to test a cipher string (f5.com)
below mentioned what s DH and default
The Diffie-Hellman (DH) group setting determines the parameters used for DH key exchange, which is a method to securely exchange cryptographic keys over a public channel. In the context of F5 BIG-IP, configuring the DH group can impact the security and compatibility of SSL/TLS connections.
DH Group Setting Options
- Default Setting:
- When the DH group setting is left as the default, the F5 BIG-IP device will use its predefined DH parameters.
- The default settings are designed to provide a balance between security and compatibility with various clients.
- The specific parameters used in the default setting can vary depending on the version of the F5 software and the specific SSL/TLS profile configuration.
- DH Group Blank (None):
- When you explicitly set the DH group to be blank (or none), it means that Diffie-Hellman key exchange will not be used.
- This setting could imply that only non-DH cipher suites will be selected.
- This might reduce the number of cipher suites available for negotiation, potentially impacting the compatibility with clients that prefer or require DH key exchange.
Cipher Suites
- Cipher Suites: A cipher suite is a combination of algorithms that help secure a network connection. It includes key exchange algorithms (like DH), encryption algorithms, and hash functions.
Implications of DH Group Settings
- DH Group Default:
- Security: Using DH key exchange with appropriate parameters can provide strong security.
- Compatibility: The default setting ensures a wide range of clients can connect, as many clients support DH key exchange.
- DH Group Blank (None):
- Security: Disabling DH might reduce the overall security if other key exchange mechanisms used are less secure. However, it might also avoid known vulnerabilities associated with some DH parameters.
- Compatibility: Some clients may fail to connect if they require DH key exchange. This could lead to reduced compatibility.
Setting Cipher Suites: all
When you set the cipher suites to all, you are allowing all supported cipher suites on the F5 BIG-IP device. This setting might not be optimal for security, as it includes both strong and weak cipher suites. It's generally better to specify a list of cipher suites that meet your security requirements.
dh group is related to elliptic curve selection of ecdh cipher.
signature algorithm is related to cert type, e.g. rsa, ecda.
https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-system-ssl-administration/ssl-traffic-management.html#concept-8411
https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-system-ssl-administration/ssl-traffic-management.html#task-2005
MVP
Nacreous
Cirrus