Not reporting `Key Exchange` 100 score with DH: 4096 bits

ssllabs / ssllabs-scan

A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.

https://www.ssllabs.com/projects/ssllabs-apis/

Apache License 2.0

1.71k stars 243 forks source link

Not reporting `Key Exchange` 100 score with DH: 4096 bits #650

Open doino-gretchenliev opened 6 years ago

doino-gretchenliev commented 6 years ago

My web site is not reporting 'Key Exchange' 100 score even though I have cipher suite, that covers all tested browsers and DH parameter is reported to be 4096 bits. https://www.ssllabs.com/ssltest/analyze.html?d=www.gretchmedia.com&hideResults=on

josephcsible commented 6 years ago

Your certificate's public key is only 2048-bit RSA. The key exchange score comes from the strength of the ephemeral key exchange and the strength of the public key. You need a 4096-bit RSA (or 384-bit ECC) key on your certificate to get 100%.

doino-gretchenliev commented 6 years ago

Not sure whether it's there already, but I can't find this requirement in the documentation. Probably you need to add it. Thank you.