unfortunatetly I am not a security/cryptography expert. I would recommend executing a test with the SSLLabs analyzer (takes about 120 secs each IP for my domain). It’s quite extensive and lists results for:
- Certificate information
- Protocol information
- Cipher suites (including security ratings)
- Compatibility with major devies (Windows, browsers, mobiles)
- Known vulnerabilities
After the result (which is a “B”, so it’s not a total critical issue ) I looked up the problem and I did remember reading about the possibilitiy of reducing the security of D-H ciphers some time ago. It seems it is possible to reduce the cipher strength making D-H cipher key lengths of 768-1024 bit practically attackable (you know, with a super computer).
I found websites which suggested (among other things) to switch to the cipher suite I posted earlier (https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html). This seems to be the same cipher suite used in the link I provided to another yunohost forum entry.
One additional note: on a website (I don’t remember which) it was stated that removing D-H would break with Windows XP running IE as browser. Seeing the current handshake simulation by SSLLabs again it seems the current implementation already breaks the handshake anyway .
Have a good evening,