Specify ciphers that optimize for security and performance
* Prefer the ECDHE + AESGCM ciper suites first, these represent the
best performance and the best security.
* Then, prefer the DH + AESGCM, these are equivilant to the first in
terms of security, however they are slower.
* Then, we'll prefer any AES cipher that supports PFS, sorting by
strength, then performance.
* Then we'll prefer any non PFS cipher, with AESGCM first, but finally
any another non PFS cipher.
* We then exclude any AES256 ciphers, we exclude there here instead of
just not mentioning them so that they can be renabled simply by
removing the !AES256. We exclude them because they are not
meaningfully more secure than AES128, however they are slower.
* We then exclude !aNULL, this is needed because we're not manually
specifying every cipher by name, and we're not specifying any
authentication. This will ensure that no matter what we'll always
have *some* authentication.
* We then exclude !eNULL, this isn't really needed since all of our
included ciphers have encryption specified. It exists primarily for
symmetry with !aNULL.
* We then exclude !MD5, much like !aNULL this is done because we don't
specify a digest anywhere, so we want to make sure we don't support
* Finally we exclude DSS, PSK, and SRP. These are just to make
debugging the list easier. It's basically impossible to get a DSS
certificate issued instead of a RSA certificate and nobody really
uses PSK or SRP.
This will drop support for IE8 on Windows XP, essentially dropping
support for all versions of IE on Windows XP. Windows XP users
would need to use Firefox or Chrome to use the service.