Enable SSL Renegotiation

When SSL renegotiation is enabled on the LoadMaster, either the client or server can initiate renegotiation within an established SSL session. If disabled, any attempt by either party to renegotiate will result in termination of the connection. In FIPS mode, this setting has no effect because SSL renegotiation is not supported under FIPS compliance.

Disable Master Secret Handling

In LoadMaster firmware version 7.2.52, the Disable Master Secret Handling check box was added. By default, the LoadMaster processes the Master Secret SSL Extension. This can cause problems for some legacy clients so it is possible to disable this processing.

Size of SSL Diffie-Hellman Key Exchange

Select the strength of the key used in the Diffie-Hellman key exchanges. If this value is changed, a reboot is required to use the new value. The default value is 2048 Bits.

As of LoadMaster firmware version 7.2.53, you can select 4096 as a value in the Size of SSL Diffie-Hellman Key Exchange drop-down list.

After upgrading from a version prior to 7.2.53, it can take up to 30 minutes (on smaller models) to generate the 4k key. If you cannot see the 4096 option in the drop-down list 30 minutes after upgrading, try restart the login process.

CAUTION: During the upgrade from a version prior to 7.2.53, a new 4096-bit DHE key is generated. On smaller LoadMasters, this can lead to significant CPU and memory consumption that could impact regular Virtual Service traffic. So, Progress Kemp strongly recommends that this update be performed in a maintenance interval.

The use of 4K key will result in a significant degradation of performance compared to when using the 2K key.

Log SSL errors

Set the level of SSL error reporting in the logs. By default, the LoadMaster will not log common SSL alerts. You can increase the verbosity of SSL error logging by setting this value to either of the following:

  • Fatal errors only - only fatal errors are logged
  • Include Client errors – this setting logs all client errors reported to the LoadMaster.
  • All errors – this setting logs all SSL errors observed in the LoadMaster, including all common alerts and warnings that may or may not indicate an actual issue.

OpenSSL Version

By default, the LoadMaster uses the latest version of OpenSSL. This may cause performance problems on heavily-loaded sites. It is possible using the OpenSSL Version field to switch back to the old library which should alleviate some of these problems. Using the old library means that there is no support for TLS 1.3. Therefore, the TLS1.3 check box is no longer available in the SSL Properties section of the Virtual Service modify screen.

If you switch from using the old library to using the current library in the OpenSSL Version field, TLS1.3 is automatically re-enabled on all Virtual Services.

Note: This option is not applicable for following LoadMaster/ECS Connection Manager models:

- LM-X25

- LM-X40 Rev 05

- LM-X40M

- LM XHC 25G/40G/100G

- ECS Connection Manager H3 Rev 02

- ECS Connection Manager H3M

- ECS Connection Manager H3 25G/40G/100G

For these LoadMaster models, the OpenSSL Version field is available but the LoadMaster will continue to use the current OpenSSL implementation even if the OpenSSL Version field is set to Use older SSL library - no TLS 1.3.

CAUTION: Switching the OpenSSL version causes a total SSL outage during the switch. This operation should not be performed during working hours.