PFS - perfect forward secrecy

Becomes more and more important for certain reasons :-) Here is what I basically did for my use cases.

nginx:
[ blah ... ssl on ... certificates ... ]
        add_header Strict-Transport-Security max-age=15768000;
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
[...]

Apache2 looks like this (>= v2.2.22 | below now TLSv1.2 available)

[...]
SSLProtocol all -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite AES256+EECDH:AES256+EDH:!aNULL
[...]
And yes, this breaks some older IE like the one in XP :)
And finally, verify your results here: https://www.ssllabs.com/ssltest/