Your HTTPS config could be improved:
You are also attackable by Logjam and on your discuss site here there are mixed content errors.
I’m not seeing mixed content warnings on discuss.codemirror.net
I know the ssl configs aren’t optimal, but since there’s no actually sensitive data being exchanged, it is not a big priority for me to figure out how to improve that at the moment.
It tries to load the Favicon over HTTP: http://codemirror.net/favicon.ico
Nothing sensitive - except of passwords and session cookies.
But it is okay. I do not say you should do it in the next 3 minutes, but consider to do it in the next time. If your server software is up-to-date it is not a big deal.