[tptacek]

Turning off DHE is safe. I assume you agree with this, because your SSL server appears unable to do DHE. But whether you agree or not, ephemeral DH is not necessary for secure SSL. As Adam Langley pointed out himself: enabling DHE without knowing what you're doing can create more security problems, because your parameters can be insecure.

I'm having trouble parsing the rest of your comment. I don't have a religious belief about what defaults are reasonable to muck with and which aren't, but: this particular one is fine to change.