There are many possible ways to configure your server to support only secure cipher-suites and get an A/A+ rating from the SSL Labs SSL Test, some are more restrictive than others, some are more complex than others.
There is no single holy grail, but for openssl-based applications such as Apache, postfix, or nginx, I prefer to go with this to me personally more readable and to me more sensible general notation:
- Only enable strong (High) encryption cipher suites (at least 128 bit length)
- Exclude cipher-suites without authentication (aNULL) or without encryption (eNULL)
- Exclude fixed/static ECDHE (kECDH) instead of ephemeral ECDHE keys (no PFS, rarely used)
- Exclude cipher-suites using DH authentication (aDH), which is rarely used and needs the certificate to have static DH keys
- Exclude RC4 and 3DES cipher-suites which are known to be weak or outdated
- Exclude Camellia cipher-suites, which is rarely used/preferred by clients/servers when AES is already supported. AES is the de-facto standard
- Exclude outdated cipher-suites using weak MD5 HMAC
- Exclude cipher-suites used extremely rarely or only in very specific applications like Secure Remote Password authentication (SRP), PSK (Pre-Shared Key) and KRB5 (Kerberos5, also supports only old ciphers/HMAC)
- Sort the cipher list by strength
With at least the recent openssl 1.0.1j version, this will enable a broad range of 30 secure AES-based ciphers suites, including some basic non-PFS AES suites for compatibility reasons (decide for yourself if you’re OK with this). This guarantees an SSL test rating of at least A.
If you really need to support older clients, then you could also consider leaving 3DES enabled.
Note: To get an A+ rating currently your certificate must have a SHA-256 chain and the server also needs to support TLS Fallback SCSV and apparently HTTP Strict Transport Security as well.