Key Exchange reported as average
3 December 2018, 15:34
Hi people, Hugo,

I'm still poking at the configuration for my VM, except for HPKP and HSTS preloading i expect to arrive at being able to serve static content fast and securely.

To this end i ran the URL for my site against a number of tools among which the Mozilla observatory which also references a few external sites.

Among which which indicates there is weak-ish key exchange in place. I assume for this i am required to recompile with changes to src/tls.c

Could it be considered for 10.8.x to have improved key exchange configuration as a default ?

I don't think there is much need at this point but it could prove a future proof path.



3 December 2018, 23:28

I don't think that is Hiawatha.... I think that is simply the 'grade' gives to a 2048 bit RSA cert. If you want a higher score, use 4096 bit or ECDSA.
Hugo Leisink
9 December 2018, 14:44
It's the 2048 bit keys that's causing it. 2048 isn't a bad key length today. According to SSLLabs [] (which I think is the best for SSL / TLS verification) gives your webserver an A+. So, nothing to worry about. You can ignore that CryptCheck site.
17 December 2018, 21:04
The cause is DH vs ECDH apparently
This topic has been closed.