Enabling TLS 1.3 support in nginx
Since August 2018, TLS 1.3 is an IETF Internet Standard (see RFC8446).
nginx started supporting TLS 1.3 with the release of version 1.13.0, but it wasn’t until this week, when the OpenSSL devs released OpenSSL 1.1.1, that nginx had support for the brand new protocol version.
OpenSSL 1.1.1 is also a Long Term Support release, meaning it will have support from the OpenSSL team for at least 5 years from it’s release.
Enabling TLS 1.3
You can either compile nginx with OpenSSL 1.1.1, or use ricardbejarano/nginx, a tiny nginx container image with TLS 1.3 support and Brotli compression support.
Option A: compiling nginx with TLS 1.3 support
- nginx 1.13.0 or higher (see nginx.org)
- OpenSSL 1.1.1 or higher (see openssl.org)
- zlib 1.2.11 (see zlib.net)
- pcre 8.42 (see pcre.org)
Extract OpenSSL, zlib and pcre into
/tmp, such that:
$ ls /tmp Once you are all set, run:
openssl-1.1.1 pcre-8.42 zlib-1.2.11
$ cd /path/to/nginx Your brand new binary should be in
$ ./configure \
$ make install
Option B: using Docker (with ricardbejarano/nginx)
You’ll need to install the Docker engine.
Once you’ve installed it, run the following command, replacing
/path/to/conf wiht the directory where your
nginx.conf file and SSL certificates are:
$ docker run -it -p 8080:80 -v /path/to/conf:/etc/nginx ricardbejarano/nginx
Go to localhost:8080.
Ctrl+C to stop.
Configuring nginx for TLS 1.3 support
ssl_protocols directive in your nginx configuration should look something like this:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
You can check if your website supports TLS 1.3 using Qualys SSL Labs SSL Server Test: