Please keep in mind that this set of cipher suites is only applicable for certificates with RSA public / private key pair.
Note that the first cipher in the list will be marked as "weak" in SSL labs and it will reduce the mark to B, because Windows Server uses weak (1024bit) DH parameters for DHE key exchange. However, thanks to this particular cipher Google Chrome
doesn't treat the connection as obsolete.
Regretfully, there is no way to change DH parameters size in case of Windows Server: Windows Server 2012 R2 added TLS_DHE_RSA > 1... | Qualys Community
Another benefit - this cipher suite provides compatibility with clients that do not support Elliptic Curve Cryptography (ECC).
With the set of cipher suites as in the example above, you get B mark in SSL labs:
But Google Chrome reports that the connection is secured with modern cryptography:
If A mark in SSL labs is critical for you, you should consider excluding the first cipher suite (TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) that imply DHE key exchange leaving cipher suites with ECDHE key exchange only:
With this set of ciphers you get “A” from SSL labs:
But Google Chrome treats SSL/TLS configuration as obsolete:
In case of RSA keys, there is no compromise solution unfortunately. It will be though, as soon as Microsoft adds support for TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher suite to SChannel or makes Diffie-Hellman parameters configurable by a server administrator. We would recommend checking security updates for SChannel to timely update configuration once one of the aforementioned solutions becomes available.
Cipher suites should be entered as a single line with a comma as a separator. Refer to the syntax in the example above.
Once the required ciphers are entered, click “Apply” > “OK”