Enabling PFS

There are many things that go into that grade. I know there are are two renegotiation settings in the profile. Make sure the one you have disabled is the one that corresponds to client-side renegotiation. Also found this in Qualys' recommendations (https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf). "3DES provides about 112 bits of security. This is below the recommended minimum of 128 bits, but it’s still strong enough. A bigger practical problem is that 3DES is much slower than the alternatives. Thus, we don’t recommend it for performance reasons, but it can be kept at the end of the cipher list for interoperability with very old clients." If there is anything from the result that states why you received the grade you did please post that so we can review it.

Helo Steve M. Thank for your response! Yes my problem is with the FS (Forward Secrecy) it doesn't show an specific state more than "Forward Secrecy No WEAK" and it only shows me that I am not supporting FS for no one of the browsers I thought that the only thing that I see every site is that I have to put the ECDHE in the ciphers but it wasn't all for me. I don't know how can I improve this, Thank you so much

So what you're going to have to do is look at the cipher suite used for those browsers and figure out what the correct variables are with the cipher suites and remove it. I have the same issue because my business has forced me to allow the RC4 ciphers. I would get an A or A+ if it were not for that. Since you're not allowing RC4 then it is a different cipher suite that is your issue.