diafygi

Does anyone have links to bugs for the affected programs to make 2048 the minimum by default? It seems like we shouldn't have to continue to manually configure secure settings.

OpenVPN? SSH? Nginx? Apache?

Where are the bugs to make these not use insecure dhparams by default?

decisiveness
Easy-rsa[1] (OpenVPN's key/cert generation/signing tool) version 3 will generate a 2048 bit diffie hellman key by default. Previous versions of easy-rsa used 1024 bit as default.

Here is a comment written in the vars configuration file for easy-rsa 2.2.2:

    # Increase this to 2048 if you
    # are paranoid.  This will slow
    # down TLS negotiation performance
    # as well as the one-time DH parms
    # generation process.
    export KEY_SIZE=1024
So if you used easy-rsa version 2.2.2 or previous to generate your diffie hellman key for the server, and didn't increase the default size in the vars file before doing so, your server uses a 1024 bit diffie hellman key.

[1]https://github.com/OpenVPN/easy-rsa