Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A+ with weak DH parameter #80

Closed
J0WI opened this issue Mar 11, 2015 · 4 comments

Comments

Projects
None yet
4 participants
@J0WI
Copy link

commented Mar 11, 2015

It's still possible to get an A+ grade when using 1024 bit DH parameters, that are marked as weak now.

@ivanr ivanr added the bug label Mar 11, 2015

@ivanr

This comment has been minimized.

Copy link
Contributor

commented Mar 11, 2015

It's a grading bug. Thanks for your report.

@selecadm

This comment has been minimized.

Copy link

commented Mar 12, 2015

"Forward Secrecy" should also be downgraded to "With modern browsers", because one cannot get ROBUST with weak DH parameters.

https://dev.ssllabs.com/ssltest/analyze.html?d=www.fastmail.com&s=66.111.4.148&hideResults=on

Forward Secrecy Yes (with most browsers) ROBUST

Is it?

@RobTho

This comment has been minimized.

Copy link

commented Mar 13, 2015

Hi
I think weak DH Parameter should cause a crap B, or am i wrong ?
Rating Guide:
"Keys below 2048 bits (e.g., 1024) are now considered weak, and the grade capped
at B."
VS
"For suites that rely on DHE or ECDHE key exchange, the strength of DH parameters is taken into
account when determining the strength of the handshake as a whole. Many servers that support
DHE use DH parameters that provide 1024 bits of security. On such servers, the strength of the
key exchange will never go above 1024 bits, even if the private key is stronger (usually 2048 bits)."

@ivanr

This comment has been minimized.

Copy link
Contributor

commented Mar 20, 2015

Fixed in 1.16.1, now running on dev.ssllabs.com.

I am not grading sites with 1024-bit DH parameters with B yet, given what I saw happen the other day: someone saw a warning about them and then removed them altogether. I need to think about it a bit more.

@ivanr ivanr closed this Mar 20, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.