I m validation my server against ssllabs and trying to optimize my server to get better rating, but it keeps T. I thought I could get B. A is not possible because I m using self signed certificate with self signed CA. That's ok, because I only have a small number of closed user group that imports CA as trustworthy CA to get rid of warnings in browser and email-client.
Here I give you two screenshots of rating before and after possible optimazation.
After upgrading to next stable Debian distribution, changing certificate with better signature and changing Apache2 SSL settings, the summary now is:
To get rid of the weak DH key, I have to wait for next stable Debian release with Apache >= 2.4.8 and OpenSSL 1.0.2.
But why still T?