A step-by-step guide to enable the latest and test TLS version protocol 1.3
Before the implementation procedure, let’s take a look at what is TLS 1.3, how it differs from 1.2, history, and compatibility.
What is TLS 1.3?
TLS (transport layer security) 1.3 is based on the existing 1.2 specifications. It’s the latest TLS version protocol and aims to improve performance and security.
To learn more, refer to this post by Filippo.
Let’s take a look at the history of the TLS protocol.
TLS protocol can be enabled on Web Servers, CDN, Load Balancers, and network edge devices.
TLS 1.3 Browser Compatibility
1.3 is not supported in all the browsers yet. Currently, it works only with the latest version of Chrome, Firefox, Opera, and iOS Safari. If you are keen to implement as soon as it supports all the browsers, then bookmark this CanIUse page. Considering it is still at an early stage, you may want to enable 1.3 along with older version 1.2 and 1.1.
Check out how to enable it in the browser.
Here is TLS analytics for Geekflare. As you can see, more than 70% of requests over TLS 1.3.
Enable TLS 1.3 in Nginx
TLS 1.3 is supported starting from Nginx 1.13 version. If you are running the older version, then first, you got to upgrade.
I assume you have Nginx 1.13+
- Login to Nginx server
- Take a backup of
nginx.conf
file - Modify
nginx.conf
usingvi
or your favorite editor
The default configuration under SSL settings should look like this
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- Add
TLSv1.3
at the end of the line, and so it looks like below
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
Note: above configuration will allow TLS 1/1.1/1.2/1.3. If you want to enable the secure one TLS 1.2/1.3, then your configuration should look like this.
ssl_protocols TLSv1.2 TLSv1.3;
- Restart the Nginx
service nginx restart
It’s easy. Isn’t it?
Enable TLS 1.3 in Apache
Starting from Apache HTTP 2.4.38, you can take advantage of TLS 1.3. If you are still using the older version, then you got to think of upgrading that first.
The configuration is easy and similar to how you enable TLS 1.2 or 1.1 protocol.
Let’s take a look…
- Login to Apache HTTP server and take a backup or
ssl.conf
file or where you have SSL configuration - Locate
SSLProtocol
line and add+TLSv1.3
at the end of the line
Ex: the following would allow TLS 1.2 and TLS 1.3
SSLProtocol -all +TLSv1.2 +TLSv1.3
- Save the file and restart Apache HTTP
Cloudflare
One of the first CDN providers to implement TLS 1.3 support. Cloudflare enables it by default for all the websites.
However, if you need to disable or check, then here is how you can do it.
- Login to Cloudflare
- Go to SSL/TLS tab >> Edge certificates
- Scroll down a bit, and you will see the TLS 1.3 option
What other Platform Support TLS 1.3?
I am aware of the following CDN.
- CDN 77 – Recently, they have announced to support from some of their POP (point of presence).
- AKAMAI – AKAMAI has turned beta on network-wide.
How to Verify Site is Using TLS 1.3?
Once you’ve implemented through a web server or CDN, then next, you want to ensure your site is handshaking over TLS 1.3 protocol.
There are multiple ways to test it.
Geekflare TLS Test – quickly find out the supported TLS version.
SSL Labs – enter your HTTPS URL and scroll down on the test result page.
You will see what all protocols are enabled.
Google Chrome – if you are enabling on intranet sites, then you can test it right from the Chrome browser.
- Launch Chrome
- Open Developer Tools
- Go to the Security tab
- Access HTTPS URL
- Left side, select the main origin to see the protocol
And there you go!
Considering TLS 1.3 is still new, you may implement it on your website but don’t forget to keep the older version-enabled. Having TLS 1.1, 1.2 enabled will ensure the client (browsers) can connect through other protocol versions if they are not compatible with 1.3
I hope this gives you an idea about implementing the latest TLS protocol to offer better website security.