summaryrefslogtreecommitdiff
path: root/apache2/mods-available/gnutls.conf
diff options
context:
space:
mode:
Diffstat (limited to 'apache2/mods-available/gnutls.conf')
-rw-r--r--apache2/mods-available/gnutls.conf25
1 files changed, 25 insertions, 0 deletions
diff --git a/apache2/mods-available/gnutls.conf b/apache2/mods-available/gnutls.conf
new file mode 100644
index 0000000..f5cf5f8
--- /dev/null
+++ b/apache2/mods-available/gnutls.conf
@@ -0,0 +1,25 @@
+<IfModule mod_gnutls.c>
+
+ # The default method is to use a DBM backed cache. It's not super fast, but
+ # it's portable and doesn't require another server to be running like
+ # memcached
+ GnuTLSCache dbm /var/cache/apache2/gnutls_cache
+
+ # Enable caching (used for ticket expiration even when GnuTLSCache is unused)
+ GnuTLSCacheTimeout 600
+
+ # mod_gnutls can optionaly use a memcached server to store SSL sessions.
+ # This is useful in a cluster environment, where you want all your servers to
+ # share a single SSL session cache
+ #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
+
+ # based on <https://blog.joelj.org/ecdsa-certificates-with-apache-2-4-lets-encrypt/>
+ # * only strong EC crypto suites supporting Perfect Forward Secrecy
+ # * supported by all SNI-capable browsers
+ # Options:
+ # * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support
+ # * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts
+ # * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0
+ GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
+
+</IfModule>
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-08 09:38:15 +0000