Is AES-GCM recommended for SSL?
GCM is recommended; it is even approved by NIST. However, AEAD ciphers are supported in TLS only since TLS 1.2; see section 6.2.3.3, which is new, when compared to TLS 1.1. The actual GCM-able cipher suites are defined in RFC 5288. Note that TLS 1.2 (and, for that matter, TLS 1.1 too) is immune to BEAST-like attacks when using CBC.
Therefore you will have a hard time finding a Web browser which supports GCM right now (I write these lines in January 2013; hopefully, TLS 1.2+GCM support will become widespread at some point in time). It is still fine to enable it, and if the client supports it, so much the better; GCM will be most lightweight on recent x86 processors with the AES-NI opcodes (these opcodes have been designed specially for GCM, in particular PCLMULQDQ
which implements multiplications in GF(2)[X]). Not that the CPU cost of traditional TLS cipher suites is that high, but it is intellectually pleasing to know that each server core could support 5 Gbit/s bandwidth.
But if you want existing browsers to actually, say, browse your server, then you will need to allow for more "primitive" cipher suites as well, if only as a fallback.
I realize the post is from 2013, but I happened upon this post when researching a patch for the latest openSSL vulnerability announced 3 May 2016 (Info - https://www.openssl.org/news/secadv/20160503.txt). The recommended patch is TLS1.2+AES-GCM cipher suite.
The latest browser on the latest OS should have support for AES-GCM at this point. If you'd still like to confirm this, this tool(https://cc.dcsec.uni-hannover.de/) will provide info on the SSL cipher suites supported by your browser.