diff --git a/actions/apache b/actions/apache
index fc0c06e29..2fbfb2403 100755
--- a/actions/apache
+++ b/actions/apache
@@ -129,6 +129,10 @@ def subcommand_setup(arguments):
         # Enable HTTP/2 protocol
         webserver.enable('http2', kind='module')
 
+        # Enable shared object cache needed for OSCP stapling. Needed by
+        # mod_ssl.
+        webserver.enable('socache_shmcb', kind='module')
+
         # switch to mod_ssl from mod_gnutls
         webserver.disable('gnutls', kind='module')
         webserver.enable('ssl', kind='module')
diff --git a/data/etc/apache2/conf-available/freedombox.conf b/data/etc/apache2/conf-available/freedombox.conf
index 255f1becf..a2feaf114 100644
--- a/data/etc/apache2/conf-available/freedombox.conf
+++ b/data/etc/apache2/conf-available/freedombox.conf
@@ -1,3 +1,36 @@
+## SPDX-License-Identifier: AGPL-3.0-or-later
+##
+## DO NOT EDIT. If you do, FreedomBox will not automatically upgrade.
+##
+## Apache configuration managed by FreedomBox. If customization is needed,
+## create a new configuration file with higher priority and override directives.
+##
+
+##
+## TLS configuration as recommended by Mozilla's SSL Configuration Generator
+## with 'Intermediate' configuration. See:
+## https://wiki.mozilla.org/Security/Server_Side_TLS
+##
+<IfModule mod_ssl.c>
+    # Disable ciphers that are weak or without forward secrecy.
+    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+
+    # Allow client to choose ciphers as they will know best if they have support
+    # for hardware-accelerated AES.
+    SSLHonorCipherOrder off
+
+    # TLS session tickets (RFC 5077) require restarting web server with an
+    # appropriate frequency. See:
+    # https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessiontickets
+    SSLSessionTickets off
+
+    # Send OCSP responses to the client and reduce their round trips.
+    <IfModule mod_socache_shmcb.c>
+        SSLUseStapling On
+        SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)"
+    </IfModule>
+</IfModule>
+
 ##
 ## Enable HSTS, even for subdomains.
 ##