summaryrefslogtreecommitdiff
path: root/apache2/mods-available/gnutls.conf.diff
blob: d6504c3a758b9d615a693df80ad9335058bdedb5 (plain) 
    

  1. --- gnutls.conf.orig
    2. 

  2. +++ gnutls.conf
    3. 

  3. @@ -1,13 +1,19 @@
    4. 

  4.  <IfModule mod_gnutls.c>
    5. 

  5.  
    6. 

  6. -  # The default method is to use a DBM backed cache.  It's not super fast, but
    7. 

  7. -  # it's portable and doesn't require another server to be running like
    8. 

  8. -  # memcached
    9. 

  9. -  GnuTLSCache dbm /var/cache/apache2/gnutls_cache
    10. 

  10. +  # Use an SHMCB backed session cache unless you have special needs.
    11. 

  11. +  # (The dbm backend has known memory leaks and should not be used).
    12. 

  12. +  GnuTLSCache shmcb:${APACHE_RUN_DIR}/gnutls_cache(65536)
    13. 

  13.  
    14. 

  14. -  # mod_gnutls can optionaly use a memcached server to store SSL sessions.
    15. 

  15. -  # This is useful in a cluster environment, where you want all your servers to
    16. 

  16. -  # share a single SSL session cache
    17. 

  17. +  # An alternative is to use a memcached server to store SSL sessions.
    18. 

  18. +  # This is useful in a cluster environment,
    19. 

  19. +  # where you want all your servers to share a single SSL session cache.
    20. 

  20.    #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
    21. 

  21.  
    22. 

  22. +  # Require Perfect Forward Secrecy and recent TLS protocol versions
    23. 

  23. +  # This should be supported by all SNI-capable browsers
    24. 

  24. +  # You can validate e.g. at <https://www.ssllabs.com/ssltest/>
    25. 

  25. +  GnuTLSPriorities PFS:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%SERVER_PRECEDENCE
    26. 

  26. +
    27. 

  27. +  GnuTLSOCSPStapling off
    28. 

  28. +
    29. 

  29.  </IfModule>
    30.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-01 02:43:00 +0000