Hi Remi,
> The default value for max-dh-param-size is set to 1024, thus keeping
> the current behavior by default. Setting a higher value (for example
> 2048 with a 2048 bits RSA/DSA server key) allows an easy upgrade
> to stronger ephemeral DH keys (and back if needed).
Please note that Sander used 4096bit - which is why he saw huge CPE load.
Imho we can default max-dh-param-size to 2048bit.
Best thing would be if Sander could test in his environment with a 2048bit
dhparam manually (in the cert file).
Regards,
Lukas
