[nuxi7]

Non-EC DHE is basically dead. The param size isn't part of the TLS handshake and so using a larger size actually breaks some clients that only do 1024-bit DH params. At the end of the day, almost all the clients that support larger DH param sizes also support ECDHE, which is faster anyway. You might as well not bother and just keep a few non-PFS ciphers for those clients to avoid interoperability problems.

Bonus trivia: ssh-dss (SSH DSA keys) has vaguely similar problem, which they considered fixing but decided instead to simply not repeat the mistakes when writing the SSH ECDSA spec. This is why ssh-dss keys are effectively limited to 1024-bit.

[wolf550e]

2048 bit DHE breaks java 6, but is only PFS option for recent msie on windows. A tradeoff worth making.

[skuhn]

Well, DHE is the only PFS option for IE on Windows XP. Vista, 7 and 8 all support ECDHE.

IE8 on XP is basically totally busted:

https://www.ssllabs.com/ssltest/viewClient.html?name=IE&vers...

[yuhong]

It doesn't work either because it depends on DSA certificates.

[skuhn]

Yep. Time to give up on anyone using a browser that depends on XP's SSL support. Much like SSLv3, they will get the message when the entire Internet stops loading in their browser.

[kryptiskt]

They will get the message to randomly download some thing from the net that fixes their problem, if they're lucky it will be as well-behaved as Superfish.