1) This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
Apache 2.2 does not at present allow the length of the DHE ephemeral keys to be configured; they are fixed at 1024 bits. (Apache prior to v 2.4.7 relies on OpenSSL for the DH input parameters, which defaults to 1024 bits.) Until this becomes configurable, there are arguments to disable DHE altogether.
DHE ephemeral keys should be of at least the same length as the authentication key length if X.509 certificates are used for authentication. Having a 1024-bit DHE key length while using 2048-bit RSA certificates reduces TLS security.
The majority of modern browsers support ECDHE.
!EDH should be added to ciphersuit config section(SSLCipherSuite) to disable weak DHE key exchange
2) The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.
TLS 1.1 and TLS 1.2 must be enabled to resolve this issue.
It is important to check current version of openssl. It must be 1.0.1 or 1.0.2.
It is highly desirable to update openssl to latest 1.0.1t or 1.0.2h too!
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv2 -SSLv3 should be configured
3) The server does not support Forward Secrecy with the reference browsers.
If previous issue will be solved, it will be possible to use ECDHE which much faster than tradition DHE and this issue will be resolved too.
If all 3 issues will be solved, site will receive A + rating. |