Get A Grade on SSL LAB for VIP

Try this one which I found in a thread on the old devcentral:

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:!3DES:-MD5:-SSLv3:-RC4

I also have the following options enabled in the SSL client profile: no SSLV3, no TLSv1, and no TLSv1.1.

Here's how it comes out on SSL labs:

I find that I can get similar results locally using nmap's nse script to enum-ssl-ciphers like so:

PS C:\Users\user\nmap-7.70> .\nmap.exe -sV --script ssl-enum-ciphers -p 443 hostname.organization.com
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-27 12:33 Eastern Daylight Time
Nmap scan report for 123.123.123.123
Host is up (0.00s latency).
 
PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http httpd
|_http-server-header: 
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A
Service Info: OS: OS; CPE: cpe:/o:cpe
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.81 seconds

It's nice to not be dependent on an external resource for a quick, repeatable check and also not forget to hide the results.

Good luck!