How to Enable TLS 1.3 in Nginx

Transport Layer Security (TLS) 1.3 is the latest version of the Transport Layer Security (TLS) protocol, published as an IETF standard in RFC 8446 in August 2018TLS 1.3 protocol provides privacy and performance enhancements compared to the previous versions of TLS and non-secure HTTP.

Since version 1.13.0, Nginx has been added support for TLS 1.3. Currently, most Linux distributions don't contain the required versions of Nginx and OpenSSL in its default software repositories, so you will probably need to compile Nginx yourself against OpenSSL 1.1.1+. The only Linux distributions that have native support for TLS 1.3 are Ubuntu 18.10, Fedora 29 and Debian 10 (not yet released as of today). If you need a guide on how to compile Nginx from source you can follow this Howtoforge tutorial, if you want to install the latest OpenSSL, check out this guide. In this tutorial, I'm going to assume you already have a working TLS configuration, and you have compiled Nginx against OpenSSL 1.1.1+ by following my linked tutorial and you know how to use Let's Encrypt, or you know how to issue a self-signed certificate. 

Requirements

To enable TLS 1.3 in Nginx you will need to fulfill the following requirements:

  • Nginx version 1.13.0 or greater built against OpenSSL 1.1.1 or greater.
  • A valid TLS certificate or a self-signed one. You can get a free one from Let's Encrypt.

Enable TLS 1.3 in Nginx

To enable TLS 1.3 in Nginx, just add TLSv1.3 parameter to the ssl_protocols directive.

ssl_protocols TLSv1.2 TLSv1.3;

And reload your Nginx configuration:

sudo systemctl reload nginx.service

That's all there is to do when it comes to configuring Nginx. Just one simple change and TLS 1.3 should work.

Here is the minimal virtual server configuration for TLS 1.3 that can look something like this:

server {

listen 443 ssl http2;
listen [::]:443 ssl http2;

server_name example.com;
root /var/www/example.com/public;

ssl_certificate /path/to/your/certificate.crt;
ssl_certificate_key /path/to/your/private.key;

ssl_protocols TLSv1.2 TLSv1.3;

}

To check if your server supports TLS 1.3, you can use your browser dev tools or SSLLabs server test. The below are the screenshots from Google Chrome browser that show TLS 1.3 in action.

Check TLS version in Browser

TLS 1.3 enabled in Nginx successfully

And that's all there is to enabling TLS 1.3 on your Nginx server.

Share this page:

5 Comment(s)