AnsweredAssumed Answered

Stuck at 90 on Key Exchange

Question asked by Jesse Szypulski on Feb 3, 2016
Latest reply on Feb 4, 2016 by Adm Selec

SSL Server Test: krypto.me (Powered by Qualys SSL Labs)

 

I have a 4096 bit key with 8192 DH. Here is nginx config

 

server {
    server_name www.krypto.me krypto.me;
    return 301 https://krypto.me$request_uri;
}

server {
        listen 443 ssl spdy;
        server_name www.krypto.me;
        ssl_certificate /home/kryptonit3/SSL/krypto_me-bundle2.crt;
        ssl_certificate_key /home/kryptonit3/SSL/server.key;
        #ssl_ciphers 'AES256+EECDH:AES256+EDH';
        ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
        ssl_protocols TLSv1.2;
        ssl_session_cache shared:SSL:10m;
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.4.4 8.8.4.4 valid=300s;
        resolver_timeout 10s;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /home/kryptonit3/SSL/dhparam.pem;
        add_header Strict-Transport-Security max-age=63072000;
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        return 301 https://krypto.me$request_uri;
}

server {
        listen 443 ssl spdy;

        ssl_certificate /home/kryptonit3/SSL/krypto_me-bundle2.crt;
        ssl_certificate_key /home/kryptonit3/SSL/server.key;

        #ssl_ciphers 'AES256+EECDH:AES256+EDH';
        ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

        ssl_protocols TLSv1.2;
        ssl_session_cache shared:SSL:10m;

        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.4.4 8.8.4.4 valid=300s;
        resolver_timeout 10s;

        ssl_prefer_server_ciphers on;
        ssl_dhparam /home/kryptonit3/SSL/dhparam.pem;

        charset utf-8;


        location = /favicon.ico { access_log off; log_not_found off; }
        location = /robots.txt  { access_log off; log_not_found off; }

        access_log off;
        error_log  /var/log/nginx/www.cablework.co-error.log error;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }


        add_header Strict-Transport-Security max-age=63072000;
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;

        root /home/kryptonit3/WWW/plexrequests;
        index index.php index.html index.htm;
        server_name krypto.me;
}

Outcomes