-# $Id$
LoadModule ssl_module modules/mod_ssl.so
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
-# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
+# directives see <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html>
<IfModule mod_ssl.c>
#
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
+
+SSLRandomSeed startup file:/dev/urandom 256
+SSLRandomSeed connect builtin
+
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
SSLSessionCache shmcb:/var/cache/httpd/ssl_scache(512000)
SSLSessionCacheTimeout 300
+# https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=modern&hsts=false
+
+# intermediate configuration, tweak to your needs
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLHonorCipherOrder off
+SSLSessionTickets off
+
+SSLCompression off
+
+# OCSP Stapling
+SSLUseStapling off
+SSLStaplingResponderTimeout 5
+SSLStaplingReturnResponderErrors off
+SSLStaplingCache shmcb:/var/cache/httpd/ocsp(128000)
+
+# Whether to allow non-SNI clients to access a name-based virtual host.
+#SSLStrictSNIVHostCheck on
+
##
## SSL Virtual Host Context
##
-<VirtualHost *:443>
+<VirtualHost _default_:443>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
-# Usable SSL protocol flavors:
-# This directive can be used to control the SSL protocol flavors mod_ssl
-# should use when establishing its server environment. Clients then can only
-# connect with one of the provided protocols.
-SSLProtocol all -SSLv2
-
-# SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXP:!LOW:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
+# Enable, if you have real ssl cert and want to cache OCSP
+# https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
+SSLUseStapling off
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
<IfModule mod_setenvif.c>
- BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
+ BrowserMatch ".*MSIE [2-5]\..*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
+ BrowserMatch ".*MSIE [6-9]\..*" ssl-unclean-shutdown
</IfModule>
# Per-Server Logging: