Windows XP natively supports only broken protocols (or weak if you want to be optimistic) to begin with it only supports SSLv2, SSLv3 and TLS 1.0, ie TLS 1.1 and 1.2 are not supported.
The Cipher Suite lists available natively in Windows XP are:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA
It only supports things that are already considered not recommended, like RC4, DES and 3DES. Of course, SHA-1 and MD5, which need not comment. Chrome no longer supports SHA-1 and MD5 in the latest versions, Chrome 54 and later, unless cheated.
For comparison, Windows 10 supports AES-GCM, SHA384, SHA256, and supports elliptic curve encryption, allowing ECDHE and ECDSA to be used.
The free / basic CloudFlare plan uses an elliptic curve certificate, which is not supported by Windows XP. They themselves say this:
Our SSL certificates on paid plans (Pro, Business and Enterprise) will work with all desktop browsers, so if you are worried about compatibility or have many users with old browsers upgrading to one of our paid plans is recommended
Source
This is a set below that is compatible, but not so secure . There is no "be compatible with Windows XP" and at the same time "be safe", just see the test using google.com, they use TLS_RSA_WITH_3DES_EDE_CBC_SHA
(XP compatible) and SSL Labs informs "WEAK".
RSA_WITH_3DES_EDE_CBC_SHA
is compatible with Windows XP, but is weak, to use it set to EDH-RSA-DES-CBC3-SHA
:
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!aNULL:!MD5
I think that's enough.
If you want a more comprehensive use:
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
If you want something really safe forget Windows XP and Windows Vista. Simply support only TLS 1.2 (and TLS 1.3). Only allow ECDHE as a form of exchange and support only AES-GCM and CHACHA20-POLY1305:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
This will support AES128-GCM, AES256-GCM and CHACHA20-POLY1305. The reason for the repetition is that you can use ECC or RSA, which will define the use of ECDSA or RSA as a signature.
Another important point is performance, ECDHE-ECDSA-CHACHA20-POLY1305
believe it to be the fastest.