Error messages for client ECC cert verification.

Also, change the default ciphersuite to give some prefererence to
ciphersuites with forwared secrecy (rather than using a random order).