Secure Diffie-Hellman parameters for Lighttpd with SNI

TL;DR You need to put your dh-file configuration before your SNI configuration.

<=1024 bit DH keys are known to be crackable partially due to the Logjam attack. A strong TLS configuration for a Diffie-Hellman key exchange uses keys larger than 1024 bit. For more information see weakdh.org.

In lighttpd you can point the option ssl.dh-file to the file that contains your DH parameters. You can generate such a file like this:

openssl dhparam -out dhparam.pem -outform PEM -2 2048

To test if your server uses a strong DH group, you can use the openssl command:

openssl s_client -connect www.domain.com:443 -cipher "EDH" | grep "Server Temp Key"

I tried deploying my configuration by putting the DH parameters per domain for SNI. This configuration is wrong, don't use it

$HTTP["host"] == "www.domainA.nl" {
 ssl.pemfile = "/etc/letsencrypt/live/www.domainA.nl/domainA.nl.pem"
 ssl.ca-file = "/etc/letsencrypt/live/www.domainA.nl/fullchain.pem"
 ssl.dh-file = "/etc/letsencrypt/live/www.domainA.nl/dhparam.pem"
}
$HTTP["host"] == "www.domainB.nl" {
 ssl.pemfile = "/etc/letsencrypt/live/www.domainB.nl/domainB.nl.pem"
 ssl.ca-file = "/etc/letsencrypt/live/www.domainB.nl/fullchain.pem"
 ssl.dh-file = "/etc/letsencrypt/live/www.domainB.nl/dhparam.pem"
}

Your dh-file should go before the SNI configuration. The configuration below works.

$SERVER["socket"] == ":443" {
 ssl.engine  = "enable"
 ssl.pemfile = "/etc/letsencrypt/live/www.domainA.nl/domainA.nl.pem"
 ssl.dh-file = "/etc/letsencrypt/live/www.domainA.nl/dhparam.pem"
 ssl.ec-curve = "secp384r1"
 ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
 ssl.honor-cipher-order = "enable"
 ssl.use-comcodession = "disable"
 ssl.use-sslv3 = "disable"
 ssl.use-sslv2= "disable"
 $HTTP["host"] == "www.domainA.nl" {
  ssl.pemfile = "/etc/letsencrypt/live/www.domainA.nl/domainA.nl.pem"
  ssl.ca-file = "/etc/letsencrypt/live/www.domainA.nl/fullchain.pem"
 }
 $HTTP["host"] == "www.domainB.nl" {
  ssl.pemfile = "/etc/letsencrypt/live/www.domainB.nl/domainB.nl.pem"
  ssl.ca-file = "/etc/letsencrypt/live/www.domainB.nl/fullchain.pem"
 }
}