Enabling PFS

Please also let us know if the connection is using TLS 1.2 and if your certificate is SHA256. Those are also prerequisites I think. Also what cipher did your browser say was used?

Correct Steve, It's using TLS 1.2 and the cert is SHA256. Chrome reports the cipher is AES_256_CBC with SHA1 auth and ECDHE_RSA as the key.

The AES_256_CBC is your issue. That needs to be a GCM cipher to support "modern" vs "obsolete" cryptography. So we'll have to figure out why your browser didn't negotiate using a GCM cipher given that the cipher suite is ordered with those as the priority. As a test you could just use AES-GCM as your cipher suite and see if that works.

Using just AES-GCM looks good. Yes, it's strange why it was preferring CBC. I'm getting the devs to smoketest what browsers/versions are now broken by this.

Good to hear. I'm interested to know what the devs come back with in terms of browser compatibility using just that cipher suite. I was able to reproduce your issue. I think the problem is that my initial cipher suite order that I posted didn't support any AES-GCM cipher suites that were 128-bit and I think browsers are still going after the 128-bit ciphers. Just a guess, but I think that's it. Once I tweaked it to allow a 128-bit AES-GCM cipher towards the top it used the GCM cipher suite. I used AES-GCM+ECDHE:NATIVE:!ADH:!DHE:!RSA

Sorry, it's taken a while to update due to time off and waiting on confirmation but it looks like just using AES-GCM broke Safari (v6+) but was fine in other browsers (IE 10 also needed TLS enabled). However, changing to AES-GCM+ECDHE:NATIVE:!ADH:!DHE:!RSA looks to have resolved on all browsers supported by our application. Thanks!

Good to hear. I had to make a change to support the Win XP/IE 8 combination. From a security perspective I think it's lunacy that we're supporting it, but just in case it is needed here is the cipher suite string I had to use. AES-GCM+ECDHE:NATIVE:RC4:!ADH:!DHE:!EXP:!LOW