Ciphers to avoid DSS, MD5/RC4, SHA-1.
Ciphers to prefer ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256
A pretty good source/guide:
https://hynek.me/articles/hardening-your-web-servers-ssl-cip...
You'll need apache 2.4+[I think], or nginx. And possibly fresh certs to use DHE/EC.
A quick rundown of a fairly secure setup:
Cipher Priority list:
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:!RSA+3DES:!aNULL:!MD5:!DSS:!SHA:AEAD
==========================================================
Generate the cert and private key:
openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout serverkey.pem -out servercert.pem
==========================================================
Generate the DH parameters:
openssl dhparam -out dh2048.pem -outform PEM -2 2048
==========================================================
How to List Elliptic Curves:
openssl ecparam -list_curves
===========================================================
Note: Generating DH parameters is gonna take a while. If you are implementing this on a slowish machine like a Raspberry Pi, you might want to use a faster machine to do the DH step, then copy file the key over.