John Public

Static RSA Kex gets 100 score?

Discussion created by John Public on Nov 6, 2014
Latest reply on Nov 7, 2014 by Ivan Ristić

If a server possesses a 4096-bit (I'm not sure about 2048-bit) RSA key and certificate, but has no DHE/ECDHE ciphers enabled (static RSA only), it still receives a 100 in the "Key Exchange" category. I believe that, while a 4096 (or 2048)-bit RSA key is very strong, servers should still be penalized for not supporting forward secrecy. Perhaps a 90? I know that the grade is capped to A- if the server doesn't have FS with reference browsers, but it still shouldn't get a 100 for Key Exchange.

Outcomes