Comment 35 for bug 1197884

DH-parameters should always be at least the same size as the SSL certificate, so if I use 4096 or even 8192 bit for the certificate a DH parameter with only 2048 bit would effectively weaken the whole connection down to 2048 bit, which we don't want and in a few years we would have the exactly same situation ( DH parameters too weak and not FULLY selectable) as we do right now
So please consider this and let the admin choose freely, but at least make sure DH parameters bits are never smaller than SSL certificate bits!