blog.bejarano.io

Enabling TLS 1.3 support in NGINX

Since August 2018, TLS 1.3 is an IETF Internet Standard (see RFC8446).

NGINX started supporting TLS 1.3 with the release of version 1.13.0, but it wasn’t until this week, when the OpenSSL devs released OpenSSL 1.1.1, that NGINX had support for the brand new protocol version.

OpenSSL 1.1.1 is also a Long Term Support release, meaning it will have support from the OpenSSL team for at least 5 years from its release.

Enabling TLS 1.3

You can either compile NGINX with OpenSSL 1.1.1, or use ricardbejarano/nginx, a tiny NGINX container image with TLS 1.3 support.

Option A: compiling NGINX with TLS 1.3 support

Prerequisites

Building

Extract OpenSSL, zlib and pcre into /tmp, such that: Once you are all set, run:

Your brand new binary should be in /usr/local/sbin/nginx.

Option B: using Docker (with ricardbejarano/nginx)

You’ll need to install the Docker engine.

Once you’ve installed it, run the following command, replacing /path/to/conf wiht the directory where your nginx.conf file and SSL certificates are:

Go to localhost:8080.

Press Ctrl+C to stop.

Configuring NGINX for TLS 1.3 support

The ssl_protocols directive in your NGINX configuration should look something like this:

Testing

You can check if your website supports TLS 1.3 using Qualys SSL Labs SSL Server Test: