The SSLLabs.com test will provide ratings based on the Keys strength as noted below. I will provide a cipher suite that supports Perfect Forward Secrecy (FS) for Elliptical Curves and RSA in the best possible order. Currently they include legacy ones that are considered safe for your consideration based on your need and environment.
0 bits (no encryption) 0%
< 128 bits (e.g., 40, 56) 20%
< 256 bits (e.g., 128, 168) 80% <---we will score a 90-95% Removing 128 bit ciphers would drop support for too many people!
>= 256 bits (e.g., 256) 100%
ECC can use smaller key sizes while offering comparable cryptographic strength.
|Symmetric Key length (bit)||RSA Key length (bit)||ECC Key length (bit)||Ratio ECC/RSA Key||RSA Certificate Size||ECC Certificate Size||Ratio ECC/RSA Certificate|
|80||1024||160||5x smaller||2048||192||10x smaller|
|112||2048||224||9x smaller||4096||224||18x smaller|
|128||3072||256||12x smaller||7680||256||23x smaller|
|192||7680||384||20x smaller||15360||384||39x smaller|
|256||15360||521||29x smaller||30720||512||57x smaller|
Elliptic Curve w/o Diffie-Hellman Parameters being generated gives us a 3072 bit RSA equivalent key
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDH 256 bits (eq. 3072 bits RSA) FS
RSA w/o Diffie-Hellman Parameters being generated gives us a 3072 bit RSA equivalent key
RSA with Diffie-Hellman being generated & using EC secp384r1 - 7680 bit RSA equivalent!!!
RSA with Diffie-Hellman being generated & using EC secp512r1 - 15360 bit RSA equivalent!!!
No problems with browsers using RSA with Diffie-Hellman/EC Curve secp512r1