AnsweredAssumed Answered

Key exchange score not 100% though key and dh parameters are 4096 bytes long

Question asked by Sven Flock on Feb 23, 2016
Latest reply on Mar 3, 2016 by Sven Flock

Hi all,


I am trying to get my SSLLabs score to 100% :-). I am now working on the key exchange score. The problem is that I cannot get it to 100%. I've read the PDF which tells my that my key lengths and DH parameters are smaller than 4096 bytes.


My results can be viewed here:


I am not quite an expert on encryption and I am just learning it on my root server, but what I read is that my private/public key is already 4096 bytes long.


Additionally, I have generated a new DH parameters file using


openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096


and added the following line to my virtual host config file (Apache 2.4.18):


SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"


What I also see is that some other certificates in the chain are 2048 bytes in size. What does that mean? There is some additional certificates listed and the path shows twice 2048 and 4096.



What am I doing wrong? :-)


Thanks for your support!