uOS Security Update: Removal of DHE Key Exchange

Zyxel_Claudia

As part of its continued commitment to stronger cybersecurity, Zyxel's latest uOS version 1.32 introduces an important change: the removal of DHE (Diffie-Hellman Ephemeral) key exchange for services such as SSL VPN, HTTPS, SSH, and FTPS.

Why Remove DHE?

DHE key exchange requires large key sizes (e.g., 2048-bit or 4096-bit parameters) and higher computational overhead to achieve modern security levels

Although DHE was originally designed to support perfect forward secrecy, it has several known weaknesses when implemented with small key sizes (e.g., 512 or 1024 bits).

Affected Services

uOS removes DHE by default as one of the possible key exchange method when using the following services:

• SSLVPN
• SSH
• FTPS
• HTTPS

Configuration Notes

If customers need to support DHE for custom or legacy systems, they can use the CLI to enable it again.

• For HTTP connection: usgflex200hp running vrf main# http-server secure-server dhe-algo {true | false}
• For SSH connection: usgflex200hp running vrf main# ssh-server dhe-algo {true | false}
• For FTPS connection: usgflex200hp running vrf main# ftp-server dhe-algo {true | false}
• For SSL VPN connection: VPN clients officially supported/approved by Zyxel (SecuExtender) already supports superior key exchange methods

Compatibility with OpenVPN Clients

There are no compatibility issues with OpenVPN:

• Zyxel VPN solutions use standard-compliant, secure key exchange methods.
• Clients will automatically negotiate the appropriate supported cipher suite.