Although Cent OS 6.5 is shipping an Open SSL that is capable of ECDHE key exchange, it doesn’t ship an nginx and the nginx you get from is compiled against an older Open SSL.
Therefore because it costs you PFS for IE browsers.
If you want to learn more about deploying SSL/TLS, Qualys’s SSL/TLS Deployment Best Practices are a decent primer.
Since I wrote this article in 2013, many TLS checkers appeared.
But let me stress that This works on both Apache 2.2 and 2.4.
If your Open SSL doesn’t support the preferred modern ciphers (like the still common 0.9.8), it will fall back gracefully but your configuration is ready for the future.
If you find any factual problems, please reach out to me and I will fix it ASAP.
On the client side the browser vendors are starting to catch up.If Open SSL 1.0.0 or later is installed, anything after nginx 1.0.9 and 1.1.6 is fine.If an older Open SSL is installed, you’ll need at least nginx 1.2.2 or 1.3.2.And ironically that used to be the original reason for this article: when Lucky Thirteen came out the word in the streets was: “use RC4 to mitigate” and everyone was like “how!? Unfortunately shortly thereafter RC4 was found broken in a way that makes deploying TLS with it nowadays a risk.While BEAST et al require an attack on the browser of the victim, passive attacks on RC4 ciphertext are getting stronger every day.It does so mostly for liability reasons because customers may insist on it for bogus reasons.However quoth a cryptographer: The very simplified gist here is that the only reason for having 256 bit keys are quantum computers which are less likely to become a problem than the key scheduling issues in AES-256.TLS compression is a bit more complicated: as of Apache 2.2.23, it’s not possible to switch it off inside of Apache.For Apache 2.2.24 and 2.4.3 you can switch it off using: the version of Open SSL.Please note: you need Apache 2.4 for ECDHE and ECDSA.You can circumvent that limitation by putting an SSL proxy like hitch or even nginx in front of it and let Apache serve only plain HTTP.