made an Issue
Result strange when server uses dual EC plus RSA cert · Issue #797 · ssllabs/ssllabs-scan · GitHub
attached the complete scan result ...
We have multiple clients for handshake simulation. Amongst these clients I saw different DHParam results for the following clients (Client name, version, and SNI/No-SNI):
Note: All the values for DH key Strength, dhP, dhG, and dhYs are taken from the API v3. Since Java 6u45 does not support dh strength above 1024 hence all the other values dh values are set to -1.
With further analysis by using OpenSSL tool:
/opt/ssllabs/bin/openssl s_client -connect www.ipv6help.de:443 -cipher DHE-RSA-AES128-SHA
/opt/ssllabs/bin/openssl s_client -connect www.ipv6help.de:443 -servername www.ipv6help.de -cipher DHE-RSA-AES128-SHA
Note: To check for DH param we should check the dhP parameter which is actually in bytes and we multiply it by 8 and convert it to bits (128 bytes = 1024 bits OR 512 bytes = 4096 bits)In Wireshark check for server key exchange packet to get the information for DH param.
Conclusion: Your server is configured for different DHParam i.e 4096 and 1024, NoSNI, and SNI respectively. It is not a bug in SSLLabs.
Hi Max,Thank you for reporting the issue and its detail.
We will analyze the issue.
Do you really say, that these two lines in apache
SSLCertificateFile /etc/httpd/conf/ssl.crt/ipv6hlp-hostEC.crtSSLCertificateKeyFile /etc/httpd/conf/ssl.key/ipv6hlp-hostEC.key
(adding an additional EC certificate to the already existing RSA certifikate)
change the DHParam configuration?
I'd say either the result with both certificates is wrong (therefore I made the bug report) or
the result with the RSA only certificate is wrong (there is ); both results can't be correct,
as one suggests the DHParam is 4096 bits or the other tells 1024 bits ...
Hi Max,I haven't commented on the usage of EC or RSA certificates. Usage of a dual certificate won't cause any issue as reported by you. It is more to do with your configuration of SNI and NoSNI.Please use Wireshark and OpenSSL to confirm the same as shared in the above post.Regards,Nauman Shah
Retrieving data ...