--- ssl.conf.orig
+++ ssl.conf
@@ -56,7 +56,8 @@
 	#   ciphers(1) man page from the openssl package for list of all available
 	#   options.
 	#   Enable only secure ciphers:
-	SSLCipherSuite HIGH:!aNULL
+	#   More info: <https://scotthelme.co.uk/https-cheat-sheet/>
+	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
 
 	# SSL server cipher order preference:
 	# Use server priorities for cipher algorithm choice.
@@ -65,12 +66,12 @@
 	# the CPU cost, and did not override SSLCipherSuite in a way that puts
 	# insecure ciphers first.
 	# Default: Off
-	#SSLHonorCipherOrder on
+	SSLHonorCipherOrder on
 
 	#   The protocols to enable.
-	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
 	#   SSL v2  is no longer supported
-	SSLProtocol all -SSLv3
+	SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
 
 	#   Allow insecure renegotiation with clients which do not yet support the
 	#   secure renegotiation protocol. Default: Off
@@ -80,6 +81,9 @@
 	#   Default: Off
 	#SSLStrictSNIVHostCheck On
 
+	SSLUseStapling On
+	SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)"
+
 </IfModule>
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet