I've been reading a bit more on recent cipher and key exchange negotiation
changes, it appears that the reason 3des "fail" on modern browsers is the
same reason they "fail" dh-small-subgroup and dh-composite. They are not
actually failing if the negotiated KX algo is ECDHE.

As a good measure, I think we should also offer in the high profile, checks
for RSA KX and CBC mode ciphers. They are all marked as weak by modern
browsers. There are apparently enterprise middlewares that decrypt RSA KX
for monitoring. CBC is weak and should also be checked in the high profile
because BEAST and POODLE (high because of compatibiltiy).

On Wed, Jun 27, 2018 at 4:16 PM, Eli Zaretskii <eliz@gnu.org> wrote:

> > From: Lars Ingebrigtsen <larsi@gnus.org>
> > Cc: 31946@debbugs.gnu.org,  Noam Postavsky <npostavs@gmail.com>, Eli
> Zaretskii <eliz@gnu.org>
> > Date: Wed, 27 Jun 2018 14:20:16 +0200
> >
> > Speaking of which -- it's quite a mouthful to say:
> >
> > (open-network-stream
> >  "foo" nil "dh-composite.badssl.com" "https"
> >  :tls-parameters (cons 'gnutls-x509pki (gnutls-boot-parameters
> >                                         :hostname "
> dh-composite.badssl.com")))
> >
> > I've been meaning to add a :tls keyword to `open-network-stream' that
> > would make
> >
> > (open-network-stream "foo" nil "dh-composite.badssl.com" "https" :tls t)
> >
> > a short way to write the above.  I.e., the default TLS parameters (which
> > is what you need in 99.9% of the cases) would be used if you just say
> > :tls t.
> >
> > Does that sound OK to you, Eli?
>
> Sounds good, but does it really require a new property?  Why not a
> special value of the existing :tls-parameters?  For example:
>
>   (open-network-stream "foo" nil "dh-composite.badssl.com" "https"
>                        :tls-parameters 'tls-defaults)
>