I dropped my former ssl-params.conf and added from you for the mod config:
+ SSLHonorCipherOrder on
+ SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA$
+ SSLOpenSSLConfCmd Curves brainpoolP512r1:brainpoolP384r1:brainpoolP256r1:P-521:P-384:X448:X25519:P-256
+ SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"
+ SSLSessionTickets off
+ SSLOpenSSLConfCmd Options +PrioritizeChaCha
Only the /etc/ssl/dhparam.pem needs adaption for me generatign a custom pem:
$ openssl dhparam -out /etc/ssl/dhparam.pem 2048
And in the default-ssl.conf I added from you (the rest was just mail and our different certificates).
section #1 is the same as added in mod-ssl.conf
+ HSTS header
+ http2
And outside the /VirtualHost context you added the OCSP Stapling
With all the tests thrown against it I still get no hanging apache workers in my case.
That seems all the difference we had in our config (unless we missed other files being important).
That leaves:
- the ssllabs test does something special we haven't captured yet in our try to recreate
- it depends on the certificate itself (my self signed vs whatever real cert you use)
- other config is important that we haven't found yet
TODO that remains:
- if one could run ssllabs test against such an easy default self signed setup as I have outlined here (to verify that it triggers the issue and is not depending on further config).
- experiment and find a local test tool that triggers the issue
I dropped my former ssl-params.conf and added from you for the mod config: AES256- GCM-SHA384: ECDHE-RSA- AES256- GCM-SHA384: ECDHE-ECDSA- CHACHA20- POLY1305: ECDHE-RSA- CHACHA20- POLY1305: ECDHE-ECDSA- AES128- GCM-SHA256: ECDHE-RSA- AES128- GCM-SHA$ :brainpoolP384r 1:brainpoolP256 r1:P-521: P-384:X448: X25519: P-256 dhparam. pem"
+ SSLHonorCipherOrder on
+ SSLCipherSuite ECDHE-ECDSA-
+ SSLOpenSSLConfCmd Curves brainpoolP512r1
+ SSLOpenSSLConfCmd DHParameters "/etc/ssl/
+ SSLSessionTickets off
+ SSLOpenSSLConfCmd Options +PrioritizeChaCha
Only the /etc/ssl/ dhparam. pem needs adaption for me generatign a custom pem: dhparam. pem 2048
$ openssl dhparam -out /etc/ssl/
And in the default-ssl.conf I added from you (the rest was just mail and our different certificates).
section #1 is the same as added in mod-ssl.conf
+ HSTS header
+ http2
And outside the /VirtualHost context you added the OCSP Stapling
With all the tests thrown against it I still get no hanging apache workers in my case.
That seems all the difference we had in our config (unless we missed other files being important).
That leaves:
- the ssllabs test does something special we haven't captured yet in our try to recreate
- it depends on the certificate itself (my self signed vs whatever real cert you use)
- other config is important that we haven't found yet
TODO that remains:
- if one could run ssllabs test against such an easy default self signed setup as I have outlined here (to verify that it triggers the issue and is not depending on further config).
- experiment and find a local test tool that triggers the issue