# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
-# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
+# directives see <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html>
<IfModule mod_ssl.c>
#
SSLSessionCache shmcb:/var/cache/httpd/ssl_scache(512000)
SSLSessionCacheTimeout 300
-# Usable SSL protocol flavors:
-# This directive can be used to control the SSL protocol flavors mod_ssl
-# should use when establishing its server environment. Clients then can only
-# connect with one of the provided protocols.
-SSLProtocol all -SSLv2
+# https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=modern&hsts=false
-# SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXP:!LOW:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
+# intermediate configuration, tweak to your needs
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLHonorCipherOrder off
+SSLSessionTickets off
+SSLCompression off
+
+# OCSP Stapling
+SSLUseStapling off
+SSLStaplingResponderTimeout 5
+SSLStaplingReturnResponderErrors off
+SSLStaplingCache shmcb:/var/cache/httpd/ocsp(128000)
+
+# Whether to allow non-SNI clients to access a name-based virtual host.
+#SSLStrictSNIVHostCheck on
##
## SSL Virtual Host Context
# Enable/Disable SSL for this virtual host.
SSLEngine on
+# Enable, if you have real ssl cert and want to cache OCSP
+# https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
+SSLUseStapling off
+
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
<IfModule mod_setenvif.c>
- BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
+ BrowserMatch ".*MSIE [2-5]\..*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
+ BrowserMatch ".*MSIE [6-9]\..*" ssl-unclean-shutdown
</IfModule>
# Per-Server Logging: