Enabling TLS 1.3 support in NGINX
Since August 2018, TLS 1.3 is an IETF Internet Standard (see RFC8446).
NGINX started supporting TLS 1.3 with the release of version 1.13.0, but it wasn’t until this week, when the OpenSSL devs released OpenSSL 1.1.1, that NGINX had support for the brand new protocol version.
OpenSSL 1.1.1 is also a Long Term Support release, meaning it will have support from the OpenSSL team for at least 5 years from its release.
Enabling TLS 1.3
You can either compile NGINX with OpenSSL 1.1.1, or use ricardbejarano/nginx, a tiny NGINX container image with TLS 1.3 support.
Option A: compiling NGINX with TLS 1.3 support
- NGINX 1.13.0 or higher (see nginx.org)
- OpenSSL 1.1.1 or higher (see openssl.org)
- zlib 1.2.11 (see zlib.net)
- pcre 8.42 (see pcre.org)
BuildingExtract OpenSSL, zlib and pcre into
/tmp, such that: Once you are all set, run:
Your brand new binary should be in
Option B: using Docker (with ricardbejarano/nginx)
You’ll need to install the Docker engine.Once you’ve installed it, run the following command, replacing
/path/to/confwiht the directory where your
nginx.conffile and SSL certificates are:
Go to localhost:8080.
C to stop.
Configuring NGINX for TLS 1.3 supportThe
ssl_protocolsdirective in your NGINX configuration should look something like this:
You can check if your website supports TLS 1.3 using Qualys SSL Labs SSL Server Test: