Ian Gallagher

SSLLabs SSL Server Test scoring concern regarding key exchange

Discussion created by Ian Gallagher on Feb 9, 2011
Latest reply on Feb 11, 2011 by Ian Gallagher

Hi there,

 

I believe there is a bug in how the SSL test is calculating scores based on key exchange. Based on the documentation, the "Key Exchange" category is purely based on the site's public key length (e.g. the RSA keypair for the certificate), with => 4096 resulting in a 100% score.

 

I have noticed that my site, neg9.org, receives 80%, even though I have a 4096 bit key. I traced this down to my DH parameters, which I set to 1024 bits. It appears that when EDH is enabled, the DH parameter size is being used for the key exchange calculation - if I remove EDH, then I score 100% as expected. I suspect the same variable is being used to store the result of the EDH key size as the certificate keysize or something along those lines? Or an incorrect conditional check around if EDH is enabled.

 

Naturally, I would hope EDH gives, not detracts, points Which I know is planned in the future - currently it shouldn't have any impact on the scoring, based on the 2009 guide [

https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide_2009.pdf].

 

 

Here's a screenshot of my assessment with EDH disabled (Key exchange score is 100%):

neg9.org-edh-disabled.png

 

And with EDH enabled (resulting in a Key Exchange score of 80%):

neg9.org-edh-enabled.png

 

 

Thanks!

Outcomes