• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • A step-by-step guide to enable the latest and test TLS version protocol 1.3

    Before the implementation procedure, let’s take a look at what is TLS 1.3, how it differs from 1.2, history, and compatibility.

    What is TLS 1.3?

    TLS (transport layer security) 1.3 is based on the existing 1.2 specifications. It’s the latest TLS version protocol and aims to improve performance and security.

    To learn more, refer to this post by Filippo.

    Let’s take a look at the history of the TLS protocol.

    TLS protocol can be enabled on Web Servers, CDN, Load Balancers, and network edge devices.

    TLS 1.3 Browser Compatibility

    1.3 is not supported in all the browsers yet. Currently, it works only with the latest version of Chrome, Firefox, Opera, and iOS Safari. If you are keen to implement as soon as it supports all the browsers, then bookmark this CanIUse page. Considering it is still at an early stage, you may want to enable 1.3 along with older version 1.2 and 1.1.

    Check out how to enable it in the browser.

    Here is TLS analytics for Geekflare. As you can see, more than 70% of requests over TLS 1.3.

    Enable TLS 1.3 in Nginx

    TLS 1.3 is supported starting from Nginx 1.13 version. If you are running the older version, then first, you got to upgrade.

    I assume you have Nginx 1.13+

    • Login to Nginx server
    • Take a backup of nginx.conf file
    • Modify nginx.conf using vi or your favorite editor

    The default configuration under SSL settings should look like this

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    • Add TLSv1.3 at the end of the line, and so it looks like below
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    Note: above configuration will allow TLS 1/1.1/1.2/1.3. If you want to enable the secure one TLS 1.2/1.3, then your configuration should look like this.

    ssl_protocols TLSv1.2 TLSv1.3;
    • Restart the Nginx
    service nginx restart

    It’s easy. Isn’t it?

    Enable TLS 1.3 in Apache

    Starting from Apache HTTP 2.4.38, you can take advantage of TLS 1.3. If you are still using the older version, then you got to think of upgrading that first.

    The configuration is easy and similar to how you enable TLS 1.2 or 1.1 protocol.

    Let’s take a look…

    • Login to Apache HTTP server and take a backup or ssl.conf file or where you have SSL configuration
    • Locate SSLProtocol line and add +TLSv1.3 at the end of the line

    Ex: the following would allow TLS 1.2 and TLS 1.3

    SSLProtocol -all +TLSv1.2 +TLSv1.3
    • Save the file and restart Apache HTTP

    Cloudflare

    One of the first CDN providers to implement TLS 1.3 support. Cloudflare enables it by default for all the websites.

    However, if you need to disable or check, then here is how you can do it.

    • Login to Cloudflare
    • Go to SSL/TLS tab >> Edge certificates
    • Scroll down a bit, and you will see the TLS 1.3 option

    What other Platform Support TLS 1.3?

    I am aware of the following CDN.

    • CDN 77 –  Recently, they have announced to support from some of their POP (point of presence).
    • AKAMAI – AKAMAI has turned beta on network-wide.

    How to Verify Site is Using TLS 1.3?

    Once you’ve implemented through a web server or CDN, then next, you want to ensure your site is handshaking over TLS 1.3 protocol.

    There are multiple ways to test it.

    Geekflare TLS Test – quickly find out the supported TLS version.

    SSL Labs – enter your HTTPS URL and scroll down on the test result page.

    You will see what all protocols are enabled.

    Google Chrome – if you are enabling on intranet sites, then you can test it right from the Chrome browser.

    • Launch Chrome
    • Open Developer Tools
    • Go to the Security tab
    • Access HTTPS URL
    • Left side, select the main origin to see the protocol

    And there you go!

    Considering TLS 1.3 is still new, you may implement it on your website but don’t forget to keep the older version-enabled. Having TLS 1.1, 1.2 enabled will ensure the client (browsers) can connect through other protocol versions if they are not compatible with 1.3

    I hope this gives you an idea about implementing the latest TLS protocol to offer better website security.