The comment by medranocalvo saved me here!

Considering the very high degree of redundancy in the gen_dh_params script:
 1. call openssl executable,
 2. download parameters from the internet,
 3. use precomputed parameter values embedded in the script;
it seems ridiculous that it does not check whether the openssl executable 
option 1 picks has a suitable version. Option 3 *does* account for the API 
differences (has more bitsizes, and is likely way faster, so why is that 
not preferred?).