Dear Sir/Madam,
Regarding the use of Diffie-Hellman ephemeral key exchanges, i think there might be room for improvement to these guidelines.
I'm a bit surprised that the guidance does not recommend the use of 'Finite Field Diffie-Hellman Ephemeral Parameters' (FFDHE).
FFDHE parameters should be preferred to randomly generated or pre-configured groups, these groups have been audited and may be more resistant to attacks than randomly generated or pre-configured groups. [1]
Furthermore, the use of FFDHE is recommended by the IETF in RFC7919 [2] and (for what its worth) is mandated by the Dutch NCSC. [3]
Should one wish to implement the use of FFDHE, copy's of the aformentioned groups can be obtained from the Dutch Internet Standards Platform or from Mozilla
To check if the use FFDHE is properly implemented one might find testssl.sh useful.
With kind regards,
Ruben Hummel