Comment 15 for bug 1836329

I dropped my former ssl-params.conf and added from you for the mod config:
+ SSLHonorCipherOrder on
+ SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA$
+ SSLOpenSSLConfCmd Curves brainpoolP512r1:brainpoolP384r1:brainpoolP256r1:P-521:P-384:X448:X25519:P-256
+ SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"
+ SSLSessionTickets off
+ SSLOpenSSLConfCmd Options +PrioritizeChaCha

Only the /etc/ssl/dhparam.pem needs adaption for me generatign a custom pem:
$ openssl dhparam -out /etc/ssl/dhparam.pem 2048

And in the default-ssl.conf I added from you (the rest was just mail and our different certificates).

section #1 is the same as added in mod-ssl.conf
+ HSTS header
+ http2

And outside the /VirtualHost context you added the OCSP Stapling

With all the tests thrown against it I still get no hanging apache workers in my case.

That seems all the difference we had in our config (unless we missed other files being important).
That leaves:
- the ssllabs test does something special we haven't captured yet in our try to recreate
- it depends on the certificate itself (my self signed vs whatever real cert you use)
- other config is important that we haven't found yet

TODO that remains:
- if one could run ssllabs test against such an easy default self signed setup as I have outlined here (to verify that it triggers the issue and is not depending on further config).
- experiment and find a local test tool that triggers the issue