--- gnutls.conf.orig
+++ gnutls.conf
@@ -1,13 +1,19 @@
 <IfModule mod_gnutls.c>
 
-  # The default method is to use a DBM backed cache.  It's not super fast, but
-  # it's portable and doesn't require another server to be running like
-  # memcached
-  GnuTLSCache dbm /var/cache/apache2/gnutls_cache
+  # Use an SHMCB backed session cache unless you have special needs.
+  # (The dbm backend has known memory leaks and should not be used).
+  GnuTLSCache shmcb:${APACHE_RUN_DIR}/gnutls_cache(65536)
 
-  # mod_gnutls can optionaly use a memcached server to store SSL sessions.
-  # This is useful in a cluster environment, where you want all your servers to
-  # share a single SSL session cache
+  # An alternative is to use a memcached server to store SSL sessions.
+  # This is useful in a cluster environment,
+  # where you want all your servers to share a single SSL session cache.
   #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
 
+  # Require Perfect Forward Secrecy and recent TLS protocol versions
+  # This should be supported by all SNI-capable browsers
+  # You can validate e.g. at <https://www.ssllabs.com/ssltest/>
+  GnuTLSPriorities PFS:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%SERVER_PRECEDENCE
+
+  GnuTLSOCSPStapling off
+
 </IfModule>