It may appear allowing the site operator to control verification responses would enable a fraudulent site to issue false verification for a revoked certificate. However, the site certificate stapled responses can't be forged if they are signed by the certificate authority (CA), not the server itself (Self Signed Certificates). If the client does not receive a stapled response from the certificate authority (CA), the client will contact the OCSP server on its own. If the client receives an invalid stapled response in any case, the connection to the intended end point will be terminated. The only risk of OCSP stapling is the notification of revocation for a certificate may be delayed until the last-signed OCSP response expires. (Cached on client machine from last visit)
As a result, clients continue to have verifiable assurance from the certificate authority the certificate is presently valid (or was quite recently), but no longer need to individually contact the OCSP server. This means that the brunt of the resource burden is now placed back on the certificate holder. It also means client software no longer needs to disclose users' browsing habits to any third party.
Overall performance is also improved: When the client fetches the OCSP response directly from the CA, it usually involves the lookup of the domain name of the CA's OCSP server from global DNS in order to establish a connection to the OCSP server. When OCSP stapling is used, the certificate status information is delivered to the client through an already established channel, reducing overhead and improving performance - Wikipedia
nano /etc/httpd/conf.modules.d/ssl.conf
This will allow for the global use of the DHParam and allow us to determine what Ellipitical Curves we use to use in order.
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
SSLCompression off <--- Do not allow compression to prevent CRIME attack
SSLCompression off
SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 60 SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
nano /etc/httpd/conf.d/EXAMPLE_com_ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin host@EXAMPLE.com
ServerName EXAMPLE.com
ServerAlias www.EXAMPLE.com
DocumentRoot /var/www/html/EXAMPLE
DirectoryIndex index.html
LogLevel info ssl:warn
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/www_EXAMPLE_com.crt
SSLCertificateKeyFile /etc/httpd/ssl/rsa_EXAMPLE.key or ec_EXAMPLE.key
SSLCertificateChainFile /etc/httpd/ssl/EXAMPLE_CA.crt
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
</VirtualHost>
</IfModule>
systemctl restart httpd
<IfModule mod_ssl.c>
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 60
SSLStaplingCache "shmcb:logs/stapling-cache(512000)"
<VirtualHost *:443>
ServerAdmin host@EXAMPLE.com
ServerName EXAMPLE.com
ServerAlias www.EXAMPLE.com
DocumentRoot /var/www/html/EXAMPLE
DirectoryIndex index.html
LogLevel info ssl:warn
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/www_EXAMPLE_com.crt
SSLCertificateKeyFile /etc/httpd/ssl/rsa_EXAMPLE.key or ec_EXAMPLE.key
SSLCertificateChainFile /etc/httpd/ssl/EXAMPLE_CA.crt
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLCompression off
...............
</VirtualHost>
</IfModule>
systemctl restart httpd