More nerdery, I'm afraid.
As I've got my fingers in certificates and web servers, and as I have the vague justification that it's never cool when students point out some new security wrinkle I don't have on batten.eu.org, I had another trip around the update everything houses.
I've now added DNS CAA records, which specify which CAs should issue my certificates. The idea is that if someone manages to convince another issuer to issue a batten.eu.org certificate, there's a chance that either they'll notice they shouldn't, or that a third party will notice the mis-match.
I've also, after some thrashing around, brought up HTTPv2 support on my servers (required recompiling OpenSSL in all cases, as to do it properly needs >= 1.0.2 and most OSes still ship with 1.0.1).
And hah! https://www.ssllabs.com/ssltest/analyze.html?d=www.batten.eu.org&latest A+ across the board.
The only warnings are that some elderly machines with modern browsers (ie, old crypto libraries, but new browsers that do HTTPv2) regard the cipher suite they end up negotiating as deprecated: all the Cipher Block Chaining ciphers are blacklisted in HTTPv2 in favour of Galois Counter Mode (or Counter Mode, more generally). I'm not going to fix this: people should not (H/T @gbrightn) use ancient operating systems, and anyway the cipher wouldn't be marked as blacklisted were it not for the presence of HTTPv2, so HTTP/1.1 would be perfectly happy using it.