Because the recent revelations about PRISM, it feels that everybody is revisiting their security infrastructure.
After testing during many hours the available ciphers in the Apache web server, I realized that it’s impossible to get Perfect Forward Secrecy with Red Hat and its derivatives. See bug #319901
I have decided to recompile openssl and apache for the servers I manage, I have uploaded the scripts I use to this repository: https://github.com/jorti/fedora-compile-with-ecc
They are based on the previous work of Daniel Pocock: http://danielpocock.com/ussing-ecc-ecdsa-in-openssl-and-strongswan-fedora
And this is the configuration I use in Apache, seen in http://ggramaize.wordpress.com/2013/08/02/tls-perfect-forward-secrecy-support-with-apache/
# /etc/httpd/conf.d/ssl.conf
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression off
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA
SSLHonorCipherOrder on
# Redirect everything to HTTPS
<IfModule rewrite_module>
RewriteEngine On
#LogLevel info rewrite:trace8
RewriteCond %{HTTP_HOST} !^www.example.com$ [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301]
</IfModule>
<IfModule headers_module>
Header add Strict-Transport-Security "max-age=15768000; includeSubDomains"
</IfModule>
You can test your web server SSL configuration with this excellent online utility: https://www.ssllabs.com/ssltest/analyze.html