A+ with weak DH parameter

[J0WI]

It's still possible to get an A+ grade when using 1024 bit DH parameters, that are marked as weak now.

[ivanr]

It's a grading bug. Thanks for your report.

[selecadm]

"Forward Secrecy" should also be downgraded to "With modern browsers", because one cannot get ROBUST with weak DH parameters.

https://dev.ssllabs.com/ssltest/analyze.html?d=www.fastmail.com&s=66.111.4.148&hideResults=on

Forward Secrecy Yes (with most browsers) ROBUST

Is it?

[RobTho]

Hi
I think weak DH Parameter should cause a crap B, or am i wrong ?
Rating Guide:
"Keys below 2048 bits (e.g., 1024) are now considered weak, and the grade capped
at B."
VS
"For suites that rely on DHE or ECDHE key exchange, the strength of DH parameters is taken into
account when determining the strength of the handshake as a whole. Many servers that support
DHE use DH parameters that provide 1024 bits of security. On such servers, the strength of the
key exchange will never go above 1024 bits, even if the private key is stronger (usually 2048 bits)."

[ivanr]

Fixed in 1.16.1, now running on dev.ssllabs.com.

I am not grading sites with 1024-bit DH parameters with B yet, given what I saw happen the other day: someone saw a warning about them and then removed them altogether. I need to think about it a bit more.