We are using Cloudflare and thus the SSL report gives us a rating of A+. However, it shows a number of cipher suites marked as "weak". The problem is that this is frowned upon by a German security certification that we would like to pass so we can put their badge on our site. They claim that Cloudflare's configuration is insecure and needs to be changed. Obviously we are unable to do so without becoming a Cloudflare enterprise customer for a lot of money.
My current understanding is that the list of enabled cipher suites is not as important as the actual ciphers chosen in the handshake simulation below. Is this correct? Is there any documentation on this aspect of SSL configuration? Some website that we can point to for maybe arguing that the current settings are fine?