Dual certificates and key exchange scores

Discussion created by rhardy on Aug 27, 2013
Latest reply on Sep 2, 2013 by Ivan Ristić

A suggestion for scanner improvement.


I have both ECC and RSA certificates enabled on an Apache 2.4.6 server but the scanner never seems to see the ECC certificates even though some of its client tests are clearly using ECC protocols (which use the ECC certificate.)


Using RSA 4096 (or higher) keys isn't practical for many users from a performance point of view.


I have both a 2048 bit RSA certificate for legacy reasons (which is used as a last resort) and a 384 bit ECC certificate (which is the equivalent of 7680 RSA bits.)


A scan of that server gets a rating of 80 on key exchange. The exact same score as a generically configured 2048 bit RSA only server.

The key exchange scores really should not ignore ECC and consider more than one certificate.