- echo “WITH_OPENSSL_PORT=yes” >> /etc/make.conf
- cd /usr/ports/security/openssl ; make install clean
- cd /usr/ports/devel/apr1; make install clean
- cd /usr/ports/www/apache24; make install clean
- vim /usr/local/etc/apache24/httpd.conf
#LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so #LoadModule http2_module libexec/apache24/mod_http2.so #LoadModule ssl_module libexec/apache24/mod_ssl.so ↓ LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so LoadModule http2_module libexec/apache24/mod_http2.so LoadModule ssl_module libexec/apache24/mod_ssl.so
- vim /usr/local/etc/apache24/extra/httpd-ssl.conf
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4 ↓ SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLProtocol all -SSLv3 ↓ SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
<VirtualHost _default_:443> Protocols h2 http/1.1
Ref.
1. https://blog.apar.jp/linux/3484/
2. https://forums.freebsd.org/threads/apache-will-not-start-with-openssl-from-ports.38454/
3. https://icing.github.io/mod_h2/howto.html