I'm unable to understant why i get 90/100 on key exchange.

There is no suggestion on result page and no orange lines (a part missing CAA dns record).

Actually my procotol and cyphers are read as is from your tool

Protocols |

TLS 1.3 | No |

TLS 1.2 | Yes |

TLS 1.1 | No |

TLS 1.0 | No |

SSL 3 | No |

SSL 2 | No |

For TLS 1.3 tests, we only support RFC 8446. |

Cipher Suites |

# TLS 1.2 (suites in server-preferred order) |

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (`0xc02f` ) ECDH secp521r1 (eq. 15360 bits RSA) FS | 128 |

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (`0xc030` ) ECDH secp521r1 (eq. 15360 bits RSA) FS | 256 |

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (`0x9e` ) DH 4096 bits FS | 128 |

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (`0x9f` ) DH 4096 bits FS | 256 |

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (`0xc027` ) ECDH secp521r1 (eq. 15360 bits RSA) FS | 128 |

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (`0xc028` ) ECDH secp521r1 (eq. 15360 bits RSA) FS | 256 |

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (`0xc013` ) ECDH secp521r1 (eq. 15360 bits RSA) FS | 128 |

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (`0xc014` ) ECDH secp521r1 (eq. 15360 bits RSA) FS | 256 |

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (`0x67` ) DH 4096 bits FS | 128 |

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (`0x33` ) DH 4096 bits FS | 128 |

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (`0x6b` ) DH 4096 bits FS | 256 |

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (`0x39` ) DH 4096 bits FS | 256 |

Where could I lookup for the problem? I've nothing under 4096bit .

Thanks a lot for your vital tool and for reply, in advance.

I elevated from 90 to 100 on key Exchange requiring a certificate using --rsa-key-size 4096 option (default 2048).

I suggest it should be someway suggested in the result page "bring from 2048 to 4096 to get better score !"