Enabling TLS 1.3 support in nginx

Since August 2018, TLS 1.3 is an IETF Internet Standard (see RFC8446).

nginx started supporting TLS 1.3 with the release of version 1.13.0, but it wasn't until this week, when the OpenSSL devs released OpenSSL 1.1.1, that nginx had support for the brand new protocol version.

OpenSSL 1.1.1 is also a Long Term Support release, meaning it will have support from the OpenSSL team for at least 5 years from it's release.

Enabling TLS 1.3

You can either compile nginx with OpenSSL 1.1.1, or use ricardbejarano/nginx, a tiny nginx container image with TLS 1.3 support and Brotli compression support.

Option A: compiling nginx with TLS 1.3 support



Extract OpenSSL, zlib and pcre into /tmp, such that:

$ ls /tmp
openssl-1.1.1  pcre-8.42   zlib-1.2.11

Once you are all set, run:

$ cd /path/to/nginx
$ ./configure \
  --sbin-path=/usr/local/sbin \
  --conf-path=/etc/nginx/nginx.conf \
  --pid-path=/var/run/ \
  --http-log-path=/var/log/nginx/access.log \
  --error-log-path=/var/log/nginx/error.log \
  --http-client-body-temp-path=/tmp/nginx/client_temp \
  --http-proxy-temp-path=/tmp/nginx/proxy_temp \
  --http-fastcgi-temp-path=/tmp/nginx/fastcgi_temp \
  --http-uwsgi-temp-path=/tmp/nginx/uwsgi_temp \
  --http-scgi-temp-path=/tmp/nginx/scgi_temp \
  --with-pcre=/tmp/pcre-8.42 \
  --with-openssl=/tmp/openssl-1.1.1 \
  --with-zlib=/tmp/zlib-1.2.11 \
  --with-file-aio \
  --with-http_ssl_module \
  --with-http_v2_module \
  --with-stream \
  --with-stream_ssl_module \
$ make
$ make install

Your brand new binary should be in /usr/local/sbin/nginx.

Option B: using Docker (with ricardbejarano/nginx)

You'll need to install the Docker engine.

Once you've installed it, run the following command, replacing /path/to/conf wiht the directory where your nginx.conf file and SSL certificates are:

$ docker run -it -p 8080:80 -v /path/to/conf:/etc/nginx ricardbejarano/nginx

Go to localhost:8080.

Press Ctrl+C to stop.

Configuring nginx for TLS 1.3 support

The ssl_protocols directive in your nginx configuration should look something like this:

http {
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;


You can check if your website supports TLS 1.3 using Qualys SSL Labs SSL Server Test: