(The idea behind the config above is to propose TLS 1.2 ciphersuites, which aren't susceptible to BEAST, and leave RC4 as a fallback for older TLS implementations. But TLS 1.2 support in browsers is still problematic.)
Also, ECDHE-RSA-AES128-SHA256 is still decrypt-then-verify CBC mode, isn't it? GCM should be listed first.
(The idea behind the config above is to propose TLS 1.2 ciphersuites, which aren't susceptible to BEAST, and leave RC4 as a fallback for older TLS implementations. But TLS 1.2 support in browsers is still problematic.)
Also, ECDHE-RSA-AES128-SHA256 is still decrypt-then-verify CBC mode, isn't it? GCM should be listed first.