How to enable TLS 1.3 on Nginx

Mattias Geniar, Tuesday, May 2, 2017 - last modified: Monday, May 1, 2017

Since Nginx 1.13, support has been added for TLSv1.3, the latest version of the TLS protocol. Depending on when you read this post, chances are you're running an older version of Nginx at the moment, which doesn't yet support TLS 1.3. In that case, consider running Nginx in a container for the latest version, or compiling Nginx from source.

Enable TLSv1.3 in Nginx

I'm going to assume you already have a working TLS configuration. It'll include configs like these;

ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                 ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers   on;
ssl_ecdh_curve              secp384r1;

And quite a few more parameters.

To enable TLS 1.3, add TLSv1.3 to the ssl_protocols list.

ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

And reload your Nginx configuration.

Test if your Nginx version supports TLS 1.3

Add the config as shown above, and try to run Nginx in debug mode.

$ nginx -t
nginx: [emerg] invalid value "TLSv1.3" in /etc/nginx/conf.d/
nginx: configuration file /etc/nginx/nginx.conf test failed

If you see the message above, your Nginx version doesn't support TLS 1.3. A working config will tell you this;

$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If you don't see any errors, your Nginx version supports TLS 1.3.

Further requirements

Now that you've told Nginx to use TLS 1.3, it will use TLS 1.3 where available, however ... there aren't many libraries out there that offer TLS 1.3.

For instance, OpenSSL is still debating the TLS 1.3 implementation, which seems reasonable because to the best of my knowledge, the TLS 1.3 spec isn't final yet. There's TLS 1.3 support included in the very latest OpenSSL version though, but there doesn't appear to be a sane person online that actually uses it.

TLSv1.3 draft-19 support is in master if you "config" with "enable-tls1_3". Note that draft-19 is not compatible with draft-18 which is still be used by some other libraries. Our draft-18 version is in the tls1.3-draft-18 branch.
TLS 1.3 support in OpenSSL

In short; yes, you can enable TLS 1.3 in Nginx, but I haven't found an OS & library that will allow me to actually use TLS 1.3.

Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!


Atul Host Sunday, November 12, 2017 at 19:39 - Reply

It won’t be accessible to us unless it is out for full use. TLS 1.3 seems to be supported by developer’s browsers like Chrome Canary, but again we have to manually enable it from flags settings to test it down. Anyways thanks for highlighting this news.

Julian Sunday, March 18, 2018 at 14:44 - Reply

Sincre Chrome 65 hit the web, it’s a great time to update this post!

(Came from google searching how to enable it)

brightnow Thursday, May 3, 2018 at 00:51 - Reply

The hardened Nginx configuration given @

Says TLSv1.3 requires nginx >= 1.13.0

proprepandfulfillment Sunday, May 6, 2018 at 09:10 - Reply

I have some Issues for enabling TLS 1.3 on Nginx. It says error. How can I solve this?
It shows a Red alert sign with error word. I didn’t know how to solve this. And what exactly problem.
If you have any suggestions or solution help me for this…

AIO Boot Friday, May 25, 2018 at 01:47 - Reply

Nginx has supported TLS 1.3, the latest OpenSSL release from Github, supporting draft 28.

Sam Wednesday, August 8, 2018 at 01:39 - Reply

Not sure if anyone is still following this post, but it is possible to run TLS 1.3 and HTTP2 with nginx and openssl now.

1. Download, make, and install the openssl (1.1.1) from source:

- sudo su -
- wget
- tar -xzf openssl-1.1.1-pre8.tar.gz
- cd openssl-1.1.1-pre8
- ./config
- make
- make install
- ln -s /usr/local/bin/openssl /usr/bin/openssl

2. Download, make, and install the nginx (1.14.0) sources:

- sudo su -
- Install pcre development (yum -y install pcre-devel)
- Install zilb development (yum -y install zlib-devel)
- wget
- tar -xzf nginx-1.14.0.tar.gz
- cd nginx-1.14.0
- ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --pid-path=/run/ --with-http_ssl_module --with-http_v2_module
- make
- make install

3. Modify /etc/nginx/conf/nginx.conf:

http {
    server {
        listen    80;
        listen    [::]:80;
        return    301 https://$host$request_uri;
    server {
        listen    443 ssl http2;
        listen    [::]:443 ssl http2;

        ssl_certificate           /etc/ssl/certs/bundle.crt;
        ssl_certificate_key    /etc/ssl/certs/key.pem;
        ssl_dhparam            /etc/ssl/certs/dhparam.pem;
        ssl_protocols           TLSv1.3;
        ssl_ciphers               ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305;

4. Verify openssl and nginx

- openssl version
- nginx -V

4. Start nginx server

- service nginx start

Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links