apache2-mods-enabled-ssl.conf

# OsbornePro LLC. Starting Template for /etc/apache2/mods-enabled/ssl.conf
#
# Enable the ssl module using the command ```sudo a2enmod ssl``` 
# View line 81 in the config below for Diffie Hellman instructions

<IfModule mod_ssl.c>
        # Pseudo Random Number Generator (PRNG):
        # Configure one or more sources to seed the PRNG of the SSL library.
        # The seed data should be of good random quality.
        # WARNING! On some platforms /dev/random blocks if not enough entropy
        # is available. This means you then cannot use the /dev/random device
        # because it would lead to very long connection times (as long as
        # it requires to make more entropy available). But usually those
        # platforms additionally provide a /dev/urandom device which doesn't
        # block. So, if available, use this one instead. Read the mod_ssl User
        # Manual for more details.
        #
        SSLRandomSeed startup builtin
        SSLRandomSeed startup file:/dev/urandom 512
        SSLRandomSeed connect builtin
        SSLRandomSeed connect file:/dev/urandom 512

        ##
        ##  SSL Global Context
        ##
        ##  All SSL configuration in this context applies both to
        ##  the main server and all SSL-enabled virtual hosts.
        ##

        #
        #   Some MIME-types for downloading Certificates and CRLs
        #
        AddType application/x-x509-ca-cert .crt
        AddType application/x-pkcs7-crl .crl

        #   Pass Phrase Dialog:
        #   Configure the pass phrase gathering process.
        #   The filtering dialog program (`builtin' is a internal
        #   terminal dialog) has to provide the pass phrase on stdout.
        SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase

        #   Inter-Process Session Cache:
        #   Configure the SSL Session Cache: First the mechanism
        #   to use and second the expiring timeout (in seconds).
        #   (The mechanism dbm has known memory leaks and should not be used).
        #SSLSessionCache                 dbm:${APACHE_RUN_DIR}/ssl_scache
        SSLSessionCache         shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
        SSLSessionCacheTimeout  300

        #   Semaphore:
        #   Configure the path to the mutual exclusion semaphore the
        #   SSL engine uses internally for inter-process synchronization.
        #   (Disabled by default, the global Mutex directive consolidates by default
        #   this)
        #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache

        # The Online Certificate Status Protocol (OCSP) is a mechanism for determining
        # whether or not a server certificate has been revoked, and OCSP Stapling is a
        # special form of this in which the server, such as httpd and mod_ssl, maintains
        # current OCSP responses for its certificates and sends them to clients which
        # communicate with the server. Most certificates contain the address of an OCSP
        # responder maintained by the issuing Certificate Authority, and mod_ssl can
        # communicate with that responder to obtain a signed response that can be sent
        # to clients communicating with the server.

        #   The protocols to enable.
        #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
        #   SSL v2  is no longer supported
        SSLProtocol -all +TLSv1.3 +TLSv1.2
        SSLCipherSuite    TLSv1.3   TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
        
        #   SSL Cipher Suite:
        #   List the ciphers that the client is permitted to negotiate. See the
        #   ciphers(1) man page from the openssl package for list of all available
        #   options.
        #   Enable only secure ciphers:
        
        # If you plan on using TLSv1.2 and do not enabled TLSv1.3 you may need to use the below line for SSLCipherSuite's value
        #SSLCipherSuite HIGH:!aNULL:!MD5
        SSLCipherSuite    SSL       ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
        
        # Generate the Diffie Hellman key file using the below command
        # ```openssl dhparam -out /etc/apache2/dhparam4096.pem 4096```
        SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam4096.pem"

        SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
        SSLCompression Off
        SSLOptions +StrictRequire
        #SSLOpenSSLConfCmd ECDHParameters secp521rl
                
        # SSL server cipher order preference:
        # Use server priorities for cipher algorithm choice.
        # Clients may prefer lower grade encryption.  You should enable this
        # option if you want to enforce stronger encryption, and can afford
        # the CPU cost, and did not override SSLCipherSuite in a way that puts
        # insecure ciphers first.
        # Default: Off
        SSLHonorCipherOrder on


        #   Allow insecure renegotiation with clients which do not yet support the
        #   secure renegotiation protocol. Default: Off
        SSLInsecureRenegotiation off

        #   Whether to forbid non-SNI clients to access name based virtual hosts.
        #   Default: Off
        #SSLStrictSNIVHostCheck On

</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet