Forum Discussion
You're using TLSv1.2. The problem is that you're using RSA and AES128-SHA. The negotiated cipher is:
AES128-SHA
RSA is an obsolete key exchange and doesn't provide forward secrecy, and SHA1 is an obsolete hmac. You can see exactly what ciphers are included in "TLSv1_2" by using the command line:
tmm --clientciphers 'TLSv1_2'
You'll definitely see RSA and SHA1 in that list. Any cipher that doesn't start with the key exchange (ex. DHE-RSA, ECDHE-RSA, etc.) is an RSA key exchange (ex. AES256-SHA). And "SHA" means SHA1. So there are few options. You could start with 'DEFAULT' and remove RSA, SHA and older TLS protocols,
DEFAULT:!RSA:!SHA
or you could start the 'TLSv1_2 and simply remove RSA and SHA:
TLSv1_2:!RSA:!SHA
Definitely take a look at this list on the command line, as the latter option may also include some undesirable options like ADH (anonymous Diffie-Hellman) and ECDH (non-ephemeral elliptic curve Diffie-Hellman). Starting with the DEFAULT string will automatically remove insecure ciphers.