Apache simplifies the process with the SSLHonorCipherOrder directive. This directive indicates that Apache must respect the sequence of the encryption processes in SSLCipherSuite that is the first match found must be used. With the SSLCipherSuite list above and the SSLHonorCipherOrder on directive in place, PFS is enabled.
Set the following advanced options:
SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES: RSA+AESGCM:RSA+AES:!aNULL:!DES:!MD5:!DSS
For information about Perfect Forward Secrecy (PFS) and prerequisites for enabling it, see Section 8.3, Enabling Perfect Forward Secrecy.