ZLD 5.40 Update: Removal of DHE for Improved Security and Performance

Zyxel_Claudia

Zyxel Networks continues to strengthen security and streamline performance with the latest firmware release, ZLD 5.40. One of the changes in this version is the removal of Diffie-Hellman Ephemeral (DHE) as a default key exchange method in several key services.

Why Remove DHE?

1. Inefficiency

DHE, while historically used for secure key exchange, demands large key sizes (2048-bit or more) to achieve modern security standards. This requirement leads to higher computational overhead, impacting device performance, especially during high-throughput operations.

2. Obsolete Security

DHE can expose security weaknesses when improperly configured with smaller key sizes (512-bit, 1024-bit).

What's Changed in ZLD 5.40?

Zyxel has proactively removed DHE as a default key exchange method from the following services:

• SSL VPN
• SSH
• FTPS
• HTTPS

This change helps ensure stronger cryptographic practices and better overall system efficiency, especially when paired with more modern, secure alternatives like ECDHE (Elliptic Curve Diffie-Hellman Ephemeral).

Re-enabling DHE (If Absolutely Necessary)

While Zyxel recommends avoiding DHE due to the reasons outlined above, administrators who must maintain legacy compatibility can still manually re-enable DHE for specific services:

• SSH Connection: Router(config)#ip ssh server kexalg dhe
• FTPS Connection: Router(config)#ip ftp server cipher-suite dhe
• HTTPS Connection: Router(config)#ip http secure-server cipher-suite dhe
• SSL VPN: No command is available to re-enable DHE. Zyxel’s official VPN clients (e.g., SecuExtender) already supports superior key exchange methods.