ECDHE_RSA keyexchange

[isdal]

Enforce the use of TLS 1.2 with key exchange with forward secrecy.

Notes:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#AlgorithmConstraints
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLContext
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLParameters

http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms

ECDHE_RSA for keyex is good but any DH or DHE RSA should do with a mod of 1024 - 4096; for ciphers you want AES_265_CBC

check out page 54:
http://www.ietf.org/rfc/rfc2246.txt

Don't forget to totally disable reneg as you can't be sure that the peer does it correctly unless you have secure reneg support.

In an ideal world, I'd suggest TLS 1.2 if possible.

http://srcrr.org/java/bouncycastle/bouncycastle/1.46/reference/org/bouncycastle/crypto/tls/KeyExchangeAlgorithm.html#DHE_RSA