Forum

Key Exchange reported as average

commandline.be
3 December 2018, 15:34
Hi people, Hugo,

I'm still poking at the configuration for my VM, except for HPKP and HSTS preloading i expect to arrive at being able to serve static content fast and securely.

To this end i ran the URL for my site against a number of tools among which the Mozilla observatory which also references a few external sites.

Among which https://tls.imirhil.fr/tls/commandline.be:443 which indicates there is weak-ish key exchange in place. I assume for this i am required to recompile with changes to src/tls.c

Could it be considered for 10.8.x to have improved key exchange configuration as a default ?

I don't think there is much need at this point but it could prove a future proof path.

Regards,

JL

Gordon
3 December 2018, 23:28

I don't think that is Hiawatha.... I think that is simply the 'grade' imirhil.fr gives to a 2048 bit RSA cert. If you want a higher score, use 4096 bit or ECDSA.
Hugo Leisink
9 December 2018, 14:44
It's the 2048 bit keys that's causing it. 2048 isn't a bad key length today. According to SSLLabs [www.ssllabs.com] (which I think is the best for SSL / TLS verification) gives your webserver an A+. So, nothing to worry about. You can ignore that CryptCheck site.
Allowed BBcodes:
[quote]
[code]
[config]
[url]
[color]
[size]
[img]
[b]
[i]
[u]
[s]
[list]
[ul]
[ol]
[*]