<VirtualHost xx.xx.xx.xx:443> ::snip:: SSLEngine on SSLProtocol +TLSv1.1 +TLSv1.2 SSLCompression off SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:HIGH:!MD5:!aNULL:!EDH Header always append X-Frame-Options SAMEORIGIN ::snip:: </VirtualHost>
I simply removed the "all" option I had there previously and just manually enabled the TLSv1.1 and TLSv1.2. I also added the "Header" bit so that common browsers wouln't put our site in frames.
Now, checking our SSL certificate using the SSL Server Test we get an A rating. The downgrade from A+ being due to an upstream older SHA1 hash that we have no way to change and doesn't directly effect the security of our site, so as far as I'm concerned we look good.
The draw back is that older machines, such as those running Windows XP and versions of Android older than 4.2.2 will no longer be able to connect to us. Sorry about that. Since this is required for PCI compliance, there's not much we can do.