Forum

Hi people, Hugo,

I'm still poking at the configuration for my VM, except for HPKP and HSTS preloading i expect to arrive at being able to serve static content fast and securely.

To this end i ran the URL for my site against a number of tools among which the Mozilla observatory which also references a few external sites.

Among which https://tls.imirhil.fr/tls/commandline.be:443 which indicates there is weak-ish key exchange in place. I assume for this i am required to recompile with changes to src/tls.c

Could it be considered for 10.8.x to have improved key exchange configuration as a default ?

I don't think there is much need at this point but it could prove a future proof path.

Regards,

JL

I don't think that is Hiawatha.... I think that is simply the 'grade' imirhil.fr gives to a 2048 bit RSA cert. If you want a higher score, use 4096 bit or ECDSA.

It's the 2048 bit keys that's causing it. 2048 isn't a bad key length today. According to SSLLabs [www.ssllabs.com] (which I think is the best for SSL / TLS verification) gives your webserver an A+. So, nothing to worry about. You can ignore that CryptCheck site.

The cause is DH vs ECDH apparently