Enable SSL Stapling / SSL Session Cache / Other Apache settings

ss88us

Hello!

I recently modified my Apache httpd.conf to include SSL Stapling, SSL Session Cache, forced SSL Ciphers, and a few other settings to speeds things up a bit. The module for SSL stapling is already there, just it's not loaded.

I think it would be a good idea to:

Let admins have their own configuration file and then include it via Apache's Include function; or
Let admins modify config parameters much like we do now in the CP like php.ini settings for Apache

My edits are below for reference:

SSL Stapling

When enabled a server pre-fetches the OCSP response for its own certificate and delivers it to the user’s browser during the TLS handshake. This approach offers a privacy advantage. But, the main benefit is the browser doesn’t have to make a separate connection to the CA’s revocation service before it can display the Web page. This gives better performance and reliability.

I added the following to Apache:

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
SSLUseStapling on
SSLStaplingCache shmcb:/tmp/stapling_cache(1048576)

SSL Session Cache

This cache is an optional facility that speeds up parallel request processing. SSL session information, which are processed in requests to the same server process (via HTTP KeepAlive), are cached locally.

I added the following to Apache (you need socache_shmcb_module loaded):

SSLSessionCache shmcb:/tmp/ssl_scache(1048576)

SSL Ciphers

Disabling weak ciphers is the goal, no 128 bit. Ciphers might be a bit too tight.

I added the following to Apache:

SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:RSA-PSK-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-DSS-AES256-GCM-SHA384:ADH-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:PSK-AES256-CCM:DHE-PSK-AES256-CCM:PSK-AES256-CCM8:DHE-PSK-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES256-CCM8
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLHonorCipherOrder On
SSLCompression Off
SSLSessionTickets Off

Miscellaneous Settings

I also changed/added some configuration settings below:

Timeout 60
MaxKeepAliveRequests 1000
KeepAliveTimeout 15
StartServers 8

net

I would like to add my thoughts here too.

Since ModSecurity will be added by August 2023, it is best to also allow us to add include files or templates in Apache for our own ModSecurity rules, set headers for site protection, etc... server-wide. And since ModSecurity will be added, make sure to allow us to use the Apache logs and use it for fail2ban.