id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
619	Qualys SSL Forward Secrecy validation test pass	https://stackoverflow.com/users/573152/bernard-rosset		"The default SSL ciphers suite used in nginx does not allow the following test to pass the Forward Secrecy step (effectively reducing the max grade to A-):
https://www.ssllabs.com/ssltest/analyze.html

With only little modifications made to the default ciphers list used by nginx, I was able to overcome that problem:

ssl_ciphers HIGH:!aNULL:!MD5:TLS_RSA_WITH_AES_128_CBC_SHA256;
(That is, default ssl_ciphers with ':TLS_RSA_WITH_AES_128_CBC_SHA256')

By the way, why not activating server-side cipher preferences by default?
ssl_prefer_server_ciphers on;"	enhancement	closed	minor		nginx-module	1.6.x	invalid			Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1+deb7u1 x86_64 GNU/Linux	"nginx version: nginx/1.6.1
built by gcc 4.7.2 (Debian 4.7.2-5)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' --with-ipv6"