DH over elliptic curves is definitely fast enough for general purpose use, but on low-power devices it could be problematic. I think a better approach is the one I used in spiped: Each connection can pick whether to do a DH computation and get forward secrecy or to instead use a DH exponent of zero and still get regular secrecy.
Alas, SSL doesn't support such a mechanism.