Sadly, users who follow this advice will forget that they did by the time they can't figure out why connections fail to servers that have been configured for forward secrecy only but run an ECC-incapable version of Apache (thanks to long-term support Linux distros keeping old Apache around).
Apache decides the DHE keys, OpenSSL decides the ciphersuites used. Red Hat didn't even enable ECDHE until they moved to OpenSSL 1.0.1 in RHEL 6.5 in late 2013.
tlsinterposer[0] helps in cases like this. (tldr: LD_PRELOAD middleware to upgrade an application's OpenSSL support without modifying the application.)
