[wolf550e]

2048 bit DHE breaks java 6, but is only PFS option for recent msie on windows. A tradeoff worth making.

[skuhn]

Well, DHE is the only PFS option for IE on Windows XP. Vista, 7 and 8 all support ECDHE.

IE8 on XP is basically totally busted:

https://www.ssllabs.com/ssltest/viewClient.html?name=IE&vers...

[yuhong]

It doesn't work either because it depends on DSA certificates.

[skuhn]

Yep. Time to give up on anyone using a browser that depends on XP's SSL support. Much like SSLv3, they will get the message when the entire Internet stops loading in their browser.

[kryptiskt]

They will get the message to randomly download some thing from the net that fixes their problem, if they're lucky it will be as well-behaved as Superfish.