I dropped my former ssl-params.conf and added from you for the mod config: + SSLHonorCipherOrder on + SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA$ + SSLOpenSSLConfCmd Curves brainpoolP512r1:brainpoolP384r1:brainpoolP256r1:P-521:P-384:X448:X25519:P-256 + SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem" + SSLSessionTickets off + SSLOpenSSLConfCmd Options +PrioritizeChaCha
Only the /etc/ssl/dhparam.pem needs adaption for me generatign a custom pem: $ openssl dhparam -out /etc/ssl/dhparam.pem 2048 And in the default-ssl.conf I added from you (the rest was just mail and our different certificates). section #1 is the same as added in mod-ssl.conf + HSTS header + http2 And outside the /VirtualHost context you added the OCSP Stapling With all the tests thrown against it I still get no hanging apache workers in my case. That seems all the difference we had in our config (unless we missed other files being important). That leaves: - the ssllabs test does something special we haven't captured yet in our try to recreate - it depends on the certificate itself (my self signed vs whatever real cert you use) - other config is important that we haven't found yet TODO that remains: - if one could run ssllabs test against such an easy default self signed setup as I have outlined here (to verify that it triggers the issue and is not depending on further config). - experiment and find a local test tool that triggers the issue -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1836329 Title: Regression running ssllabs.com/ssltest causes 2 apache process to eat up 100% cpu, easy DoS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1836329/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
