Since Nginx 1.13 , support has been added for TLSv1.3, the latest version of the TLS protocol. Depending on when you read this post, chances are you’re running an older version of Nginx at the moment, which doesn’t yet support TLS 1.3. In that case, consider running Nginx in a container for the latest version, or compiling Nginx from source.
Enable TLSv1.3 in Nginx#
I’m going to assume you already have a working TLS configuration. It’ll include configs like these;
...
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
...
And quite a few more parameters.
To enable TLS 1.3, add TLSv1.3 to the ssl_protocols list.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
And reload your Nginx configuration.
Test if your Nginx version supports TLS 1.3#
Add the config as shown above, and try to run Nginx in debug mode.
$ nginx -t
nginx: [emerg] invalid value "TLSv1.3" in /etc/nginx/conf.d/ma.ttias.be.conf:34
nginx: configuration file /etc/nginx/nginx.conf test failed
If you see the message above, your Nginx version doesn’t support TLS 1.3. A working config will tell you this;
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
If you don’t see any errors, your Nginx version supports TLS 1.3.
Further requirements#
Now that you’ve told Nginx to use TLS 1.3, it will use TLS 1.3 where available – but at the time I wrote this (May 2017), there weren’t many libraries out there that actually offered it.
For instance, OpenSSL was still debating the TLS 1.3 implementation , which seemed reasonable because back then the TLS 1.3 spec wasn’t final yet . There was draft TLS 1.3 support in the very latest OpenSSL version, but you couldn’t easily find anyone online who actually used it in production.
TLSv1.3 draft-19 support is in master if you “config” with “enable-tls1_3”. Note that draft-19 is not compatible with draft-18 which is still be used by some other libraries. Our draft-18 version is in the tls1.3-draft-18 branch.
That’s all history now. TLS 1.3 was finalised as RFC 8446
in August 2018, and OpenSSL 1.1.1 (September 2018) shipped final, production support for it. So if you’re reading this today: yes, you can enable TLS 1.3 in Nginx, and as long as your Nginx is built against OpenSSL 1.1.1 or newer, you can really use it. Just drop the deprecated TLSv1 and TLSv1.1 from your ssl_protocols line while you’re at it:
ssl_protocols TLSv1.2 TLSv1.3;