Hello,

thanks for letting me join the community.

I would like to ask you, if someone can help me with reaching Key Exchange 100% rating with my domain - michalborka.cz on SSL Server Test (Powered by Qualys SSL Labs) .

Even I have Key and DH parameter strength 4096 bits, I'm getting 90% rating only.

I know 90% is fine and I'm getting A+, I just want to learn how to make this staff a little better

Thanks a lot for help!

Michal

Hi Michal,

A 100% rating is given for key exchange if RSA key exchange is at least 4096-bit, Diffie-Hellman key exchange is at least 4096-bit and elliptic curve Diffie-Hellman key exchange is at least 384-bit. In your case, elliptic curve Diffie-Hellman (ECDH) key exchange is only 256-bit, which is why you have the 90% rating. You need a line like this in your Apache configuration:

`SSLOpenSSLConfCmd ECDHParameters secp384r1`

That will make ECDH key exchange 384-bit and give you the 100% rating you're after.