The security folks flagged our server for accepting SSL 3.0 ciphers that it shouldn't. I'm not sure about the proper way to configure this for MHD. I thought I saw a function at one pont that passes config info to gnuTLS but I can't find it. This is how operations configures NGINIX to solve the problem:
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES256+AESGCM:!MD5";