You can only support forward secure cipher suits. This will result in rejected connections as you suggested.
Lavabit doesn't do this, they support non-forward secure ones. Worse, they don't offer a cipher-suit order preference and the cipher suits they offer are actually pretty shitty (no ECDH_ECDSA, 1024bit DHE).
The way they have it configured now means anyone using the default browser on windows(IE) or OSX(Safari) doesn't end up negotiating a forward secure session. Chrome and Firefox do end up being forward secure. See SSL Lab's test result here[0]
They support
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Lavabit doesn't do this, they support non-forward secure ones. Worse, they don't offer a cipher-suit order preference and the cipher suits they offer are actually pretty shitty (no ECDH_ECDSA, 1024bit DHE).
The way they have it configured now means anyone using the default browser on windows(IE) or OSX(Safari) doesn't end up negotiating a forward secure session. Chrome and Firefox do end up being forward secure. See SSL Lab's test result here[0]
They support TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA
[0]https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2...