/etc/apache2/conf-available/ssl_common.conf

gistfile1.txt

# From https://mozilla.github.io/server-side-tls/ssl-config-generator/
# intermediate profile

# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off
# SSLSessionTickets       off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling                      on
SSLStaplingResponderTimeout         5
SSLStaplingReturnResponderErrors    off
SSLStaplingCache                    shmcb:/var/run/ocsp(128000)

## ###################
## VHost configuration
##
## 
## SSLEngine on
## SSLCertificateFile /usr/local/etc/letsencrypt-sh/certs/<domain>/cert.pem
## SSLCertificateKeyFile /usr/local/etc/letsencrypt-sh/certs/<domain>/privkey.pem
## SSLCertificateChainFile /usr/local/etc/letsencrypt-sh/certs/<domain>/chain.pem
## # HSTS (mod_headers is required) (15768000 seconds = 6 months)
## #Header always set Strict-Transport-Security "max-age=15768000"
##
##