(The idea behind the config above is to propose TLS 1.2 ciphersuites, which aren't susceptible to BEAST, and leave RC4 as a fallback for older TLS implementations. But TLS 1.2 support in browsers is still problematic.)

Also, ECDHE-RSA-AES128-SHA256 is still decrypt-then-verify CBC mode, isn't it? GCM should be listed first.