{"id":8047,"date":"2018-12-19T15:53:05","date_gmt":"2018-12-19T12:53:05","guid":{"rendered":"https:\/\/www.howtoforge.com\/how-to-enable-tls-13-in-nginx\/"},"modified":"2018-12-19T15:53:05","modified_gmt":"2018-12-19T12:53:05","slug":"%d9%86%d8%ad%d9%88%d9%87-%d9%81%d8%b9%d8%a7%d9%84-%d8%b3%d8%a7%d8%b2%db%8c-tls-1-3-%d8%af%d8%b1-nginx","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/%d9%86%d8%ad%d9%88%d9%87-%d9%81%d8%b9%d8%a7%d9%84-%d8%b3%d8%a7%d8%b2%db%8c-tls-1-3-%d8%af%d8%b1-nginx\/","title":{"rendered":"\u0646\u062d\u0648\u0647 \u0641\u0639\u0627\u0644 \u0633\u0627\u0632\u06cc TLS 1.3 \u062f\u0631 Nginx"},"content":{"rendered":"<article>\n<p dir=\"ltr\" style=\"text-align: left;\">\n<p dir=\"ltr\" style=\"text-align: left;\">Transport Layer Security (TLS) 1.3 is the latest version of the Transport Layer Security (TLS) protocol, published as an IETF standard in\u00a0RFC 8446\u00a0in August 2018.\u00a0TLS 1.3 protocol provides privacy and performance\u00a0enhancements compared to the previous versions of TLS and non-secure HTTP.<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">Since version 1.13.0, Nginx has been added support for TLS 1.3. Currently, most Linux distributions\u00a0don&#8217;t contain\u00a0the\u00a0required versions of Nginx and OpenSSL in its default software repositories, so you will probably need to\u00a0compile Nginx yourself against OpenSSL 1.1.1+. The only Linux distributions that\u00a0have native support for TLS 1.3\u00a0are Ubuntu 18.10, Fedora 29 and Debian 10 (not yet released as of today). If you need a guide on how to compile Nginx from source you can follow this <a href=\"https:\/\/www.howtoforge.com\/tutorial\/how-to-build-nginx-from-source-on-ubuntu-1804-lts\/\" target=\"_blank\" rel=\"noopener\">Howtoforge tutorial<\/a>. In this tutorial,\u00a0I&#8217;m going to assume you already have a working TLS configuration, and you have compiled Nginx against\u00a0OpenSSL 1.1.1+ by following my linked tutorial and you know how to use Let&#8217;s Encrypt, or you know how to issue a self-signed certificate.<\/p>\n<h2 id=\"requirements\" dir=\"ltr\" style=\"text-align: left;\">Requirements<\/h2>\n<p dir=\"ltr\" style=\"text-align: left;\">To enable TLS 1.3 in Nginx you will need to fulfill the following requirements:<\/p>\n<ul dir=\"ltr\" style=\"text-align: left;\">\n<li>Nginx version\u00a0<code>1.13.0<\/code>\u00a0or greater\u00a0built against OpenSSL 1.1.1 or greater.<\/li>\n<li>A valid TLS certificate or a self-signed one.\u00a0You can get a free one from Let&#8217;s Encrypt.<\/li>\n<\/ul>\n<h2 id=\"enable-tls-innbspnginx\" dir=\"ltr\" style=\"text-align: left;\">Enable TLS 1.3 in\u00a0Nginx<\/h2>\n<p dir=\"ltr\" style=\"text-align: left;\">To enable TLS 1.3 in Nginx, just\u00a0add\u00a0<code>TLSv1.3<\/code>\u00a0parameter to the\u00a0<code>ssl_protocols<\/code>\u00a0directive.<\/p>\n<pre dir=\"ltr\"><code spellcheck=\"false\">ssl_protocols TLSv1.2 TLSv1.3;<\/code><\/pre>\n<p dir=\"ltr\" style=\"text-align: left;\">And reload your Nginx configuration:<\/p>\n<pre class=\"command\" dir=\"ltr\"><code spellcheck=\"false\">sudo systemctl reload nginx.service<\/code><\/pre>\n<p dir=\"ltr\" style=\"text-align: left;\">That&#8217;s all there is to do when it comes to configuring Nginx. Just one simple change and TLS 1.3 should work.<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">Here is the minimal virtual server configuration for TLS 1.3 that can look something like this:<\/p>\n<pre dir=\"ltr\"><code spellcheck=\"false\">server {<\/code><\/pre>\n<p dir=\"ltr\" style=\"text-align: left;\">listen 443 ssl http2;<br \/>\nlisten [::]:443 ssl http2;<\/p>\n<pre dir=\"ltr\"><code spellcheck=\"false\"><\/code><\/pre>\n<p dir=\"ltr\" style=\"text-align: left;\">server_name example.com;<br \/>\nroot \/var\/www\/example.com\/public;<\/p>\n<pre dir=\"ltr\"><code spellcheck=\"false\"><\/code><\/pre>\n<p dir=\"ltr\" style=\"text-align: left;\">ssl_certificate \/path\/to\/your\/certificate.crt;<br \/>\nssl_certificate_key \/path\/to\/your\/private.key;<\/p>\n<pre dir=\"ltr\"><code spellcheck=\"false\"><\/code><\/pre>\n<p dir=\"ltr\" style=\"text-align: left;\">ssl_protocols TLSv1.2 TLSv1.3;<\/p>\n<pre dir=\"ltr\"><code spellcheck=\"false\"><\/code><\/pre>\n<p dir=\"ltr\" style=\"text-align: left;\">}<\/p>\n<pre dir=\"ltr\"><code spellcheck=\"false\"><\/code><\/pre>\n<p dir=\"ltr\" style=\"text-align: left;\">To\u00a0check if your server supports TLS 1.3, you can use your browser dev tools or SSLLabs server test. The below are the screenshots from Google Chrome browser that show TLS 1.3 in action.<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\"><a id=\"img-tls13\" class=\"fancybox\" href=\"https:\/\/www.howtoforge.com\/images\/how_to_enable_tls_13_in_nginx\/big\/tls13.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/12\/how-to-enable-tls-1-3-in-nginx.png\" alt=\"Check TLS version in Browser\" width=\"550\" height=\"210\" title=\"\"><\/a><\/p>\n<p dir=\"ltr\" style=\"text-align: left;\"><a id=\"img-tls13a\" class=\"fancybox\" href=\"https:\/\/www.howtoforge.com\/images\/how_to_enable_tls_13_in_nginx\/big\/tls13a.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/12\/how-to-enable-tls-1-3-in-nginx-1.png\" alt=\"TLS 1.3 enabled in Nginx successfully\" width=\"550\" height=\"237\" title=\"\"><\/a><\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">And that&#8217;s all there is to enabling TLS 1.3 on your Nginx\u00a0server.<\/p>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>Transport Layer Security (TLS) 1.3 is the latest version of the Transport Layer Security (TLS) protocol, published as an IETF standard in\u00a0RFC 8446\u00a0in August 2018.\u00a0TLS 1.3 protocol provides privacy and performance\u00a0enhancements compared to the previous versions of TLS and non-secure HTTP. Since version 1.13.0, Nginx has been added support for TLS 1.3. Currently, most Linux [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[],"class_list":["post-8047","post","type-post","status-publish","format-standard","hentry","category-36"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/8047","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=8047"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/8047\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=8047"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=8047"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=8047"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}