How do I enable perfect forward secrecy by default on Apache?

Question

Warning: please only use the recommendations for Apache configuration from the answers below. For which cipher(s) to use - security norms change over time a

Answer 1

From my own understanding, you need to activate SSLHonorCipherOrder and to prepend SSLCipherSuite with ECDHE and DHE ciphers from openssl ciphers -v

From my /etc/apache2/mods-available/ssl.conf:

SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH

To test your website, you can use: https://www.ssllabs.com/ssltest

Note: Eliptic Curve DHE only seems to work with Apache 2.3.3 or higher (see source and Bruno's comment).