Many moons ago I posted about how I switched from OpenSSL to GnuTLS. That was because I wanted to mitigate against The BEAST attack, and at that time the version of OpenSSL that came with Ubuntu didn't support TLS 1.1 or TLS 1.2.
Well, in the latest Ubuntu releases OpenSSL does support it, but the funny thing is that something is wrong with GnuTLSPriorities in Ubuntu 14.04. For some reason, the string doesn't work anymore and I can't so simple things like disable SSL 3.0 which you need to do to mitigate against the new POODLE vulnerability.
I decided to switch back to OpenSSL, and in order to be PCI compliant and get an A+ rating on SSLLabs.com I also added the following to my /etc/apache2/sites-enabled/default-ssl.conf file:
SSLCipherSuite AES256+EECDH:AES256+EDHYou need to be sure that you have headers enabled for the above to work.
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set X-Content-Type-Options nosniff
Once all of that is done you should be good to go!