Firstly, we only allow TLS 1.2. Qualys to require this for the 100 percent protocol grading.
Next, we set a very limited number of ciphers, all of which are 256 bit or higher. We've also set it to use EECDH only, to enforce forward secrecy. This is combined with the 384-bit curve (secp384r1), which is the grade that the NSA mandate for top-secret graded documents. This is roughly the equivalent of a 7680-bit RSA key, so don't be fooled by the lower bit count.