"Strong key exchange detected" when there's nothing good to detect

[jrchamp]

Some marketing pixel service has the worst security configuration I've seen post-DROWN: https://www.hardenize.com/report/secfld.vmmpxl.com/1594043528#www_tls

Hardenize doesn't see any "bad" forward-secret ciphers because there aren't any forward-secret ciphers and it reports:

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Maybe I'm not understanding, but I don't think of classic RSA as a strong key exchange, so I'm guessing this is a bug?

[ivanr]

Hello @jrchamp. Yes, this looks to me a bug. The findings are not making much sense. We'll look into it.

[ivanr]

Attaching a screenshot here to preserve the context.

[ivanr]

I fixed the immediate problem on the development branch; the fix will be in the next release. I think in this situation we should also show a warning about lack of forward secrecy, but we're about to do a full review of the criteria anyway so I left it for later. Thanks for your bug report!

P.S. Couldn't verify the fix on the same server as its configuration is now different. I simulated the configuration in our lab.