The problem here is not "how to have a secure configuration", it's really "why is it not secure by default"; we actually need more "secure by default" because it largely reduces the chances of doing it wrong.
You can keep your A+ and add IE8 on XP, plus boost your key exchange to 100%[0], by following Mozilla's TLS docs[1] and sticking with the default Intermediate ciphersuite.
You might also consider disabling server tokens to hide your Nginx version (server_tokens off;) for a bit of 'security through obscurity' and enabling SPDY (listen 443 ssl spdy;) for a performance boost.
Also worth pointing out is the upcoming Let's Encrypt project[2] which will make domain validated certificates free soon.
[0]https://www.ssllabs.com/ssltest/analyze.html?d=brossmanit.co... [1]https://wiki.mozilla.org/Security/Server_Side_TLS [2]https://letsencrypt.org/
I'm not wild about having non-FS options that a man in the middle could force a downgrade to. IE8 on XP isn't worth it.
I think using Mozilla's "Modern cipher suite" list should do it, and it seems to be all forward secure:
https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_com...
What prevents me from using 'Modern' is it requires Android 4.4+, which excludes a hell of a lot of mobile users. I'm okay with dropping XP support but dropping Android 4.3 and earlier is too limiting for me.
Finally, you can get an A+ rating for free with StartSSL's free option, then using the SHA2 intermediate certificate[2]. This is what I use for my pgp keyserver[3].
[1]: https://www.ssllabs.com/ssltest/analyze.html?d=utilityapi.co...
[2]: https://www.startssl.com/certs/class1/sha2/pem/
[3]: https://www.ssllabs.com/ssltest/analyze.html?d=sks.daylightp...