You're right and this occurred to me as well. I tried a different approach. This is my code:
'SSL configuration
Dim ssl As SslConfiguration
ssl.Initialize
Dim jo As JavaObject = ssl
Dim inc As String = $"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"$
jo.RunMethod("setIncludeCipherSuites", Array(Regex.Split("\n", inc)))
Note that setIncludeCipherSuites only enables TLS 1.2. TLS 1.0 and 1.1 are automatically disabled unless you make a call to setExcludeCipherSuites. This was also one of my requirement. You may not want this if you need to support old browsers like IE 8/9/10.
With this setup I get a very limited set of ciphers, but they have full compatibility with all sort of clients that support TLS 1.2 and the final result is an "A" rating.
When using setExcludeCipherSuites I had a strange experience with ciphers that I excluded but were still available according to SSLlabs test.
As you noticed the B rating is due to Diffie-Hellman (DH) key exchange, not necessarily the cipher algorithm.
I still don't understand how to control the key exchange algorithm so to exclude DH key exchange rather than reducing the list of ciphers significantly to prevent using it.
Andrea