Forum Discussion
Joe_M
Mar 10, 2015Nimbostratus
Not using DHE is what I will have to do if there isn't a way to specify 2048 or 4096 DH keys (like the example of the Linux box above). What we will lose (or in our case not get because we are upgrading from 10.2.4 and 11.3.0) is "Forward Secrecy" for slightly older clients that don't support ECDHE. They will have to rely on AES. And for the documentation about 1024 bit keys going from good to weak, that is located here on page 6 and the change record on page 8.
https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide.pdf