--- gnutls.conf.orig	2011-07-19 19:02:55.000000000 +0200
+++ gnutls.conf	2016-04-28 03:27:13.000000000 +0200
@@ -5,9 +5,21 @@
   # memcached
   GnuTLSCache dbm /var/cache/apache2/gnutls_cache
 
+  # Enable caching (used for ticket expiration even when GnuTLSCache is unused)
+  GnuTLSCacheTimeout 600
+
   # mod_gnutls can optionaly use a memcached server to store SSL sessions.
   # This is useful in a cluster environment, where you want all your servers to
   # share a single SSL session cache
   #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
 
+  # based on <https://blog.joelj.org/ecdsa-certificates-with-apache-2-4-lets-encrypt/>
+  #  * only strong EC crypto suites supporting Perfect Forward Secrecy
+  #  * supported by all SNI-capable browsers
+  # Options:
+  #  * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support
+  #  * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts
+  #  * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0
+  GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
+
 </IfModule>