In MS14-066 Microsoft added new cipher suites that provide forward secrecy and Galois/Counter Mode (GCM) support. Subsequently Microsoft disabled the new cipher suites on servers, because some people (reportedly MSSQL Servers configured for TLS) reported performance impact. However, the new cipher suites are still enabled on clients as old as Windows 7/IE8 if TLS1.1/1.2 are enabled. I'm interested in discussion of the merits of these suites, unfortunately Microsoft didn't use ECDHE suites for RSA certificate exchange, so I'm not sure if "Best-In-Class" as claimed in the blog below is accurate.

Overall, GCM is great because it mitigates the BEAST type attacks. However, Microsoft chose to add suites with DHE key exchange instead of Elliptic Curve variants, which other browsers and FIPS 140-2 (ECDSA) suites use. The key problem is that many DHE key exchanges are limited to 1024bits.

- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128

Sites enabling these suites, for example using Mozilla's "Server Side TLS" guidance or by adding "EDH-AES-GCM:" in F5 11.5+, can still get an A+, but the Key Exchange score is capped at 80 because of the DH 1024 bits limitation. It seems like the benefit of GCM outweighs the DH/1024 limitation, although Firefox and Chrome will use the ECDHE suites.

Side note, I just noticed that Android 5 (moto x / vzw / chrome) seems to prefer 0xc02f, dropping AES256 0xc030, maybe for power considerations.

This is my current cipher suite order (RSA cert only):

- Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS 256 -> OpenSSL/Android 4.4
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128 -> Firefox/Chrome/Android 5
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256 -> Win+MS14-066
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS 256 -> Apple
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256 -> Android <4.4, Win<MS14-066
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq. 3072 bits RSA) FS 112
- TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
- TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
- TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
- TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
- TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112