Additional menu

How to Enable TLS 1.3 in Nginx, Cloudflare?

How to Enable TLS 1.3 in Nginx, Cloudflare?

A step-by-step guide to enable latest and test TLS version protocol 1.3

Before implementation procedure, let’s take a look at what is TLS 1.3, how it differs from 1.2, history and compatibility.

What is TLS 1.3?

TLS (transport layer security) 1.3 is draft working version and based on existing 1.2 specifications. It’s the latest TLS version protocol and aims to improve performance and security.

To learn more, refer to this post by Filippo.

Let’s take a look at the history of TLS protocol.

TLS protocol can be enabled on Web servers, CDN, Load Balancers.

TLS 1.3 Browser Compatibility

1.3 is not supported in all the browsers yet. Currently, it works only with the latest version of Chrome, Firefox and Samsung Internet.

If you are keen to implement as soon as it supports all the browsers then bookmark this CanIUse page.

Considering its still in draft version, you may want to enable 1.3 along with older version 1.2 and 1.1.

Enable TLS 1.3 in Nginx

TLS 1.3 is supported starting from Nginx 1.13 version. If you are running older version then first you got to upgrade.

I assume you have Nginx 1.13+

  • Login to Nginx server
  • Take a backup of nginx.conf file
  • Modify nginx.conf using vi or your favorite editor

The default configuration under SSL settings should look like this

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  • Add TLSv1.3 at the end of the line, and so it looks like below
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  • Restart the Nginx

It’s easy. Isn’t it?

Cloudflare

One of the first CDN provider’s to implement TLS 1.3 support. Cloudflare enables it by default for all the websites.

However, if you need to disable or check then here is how you can do it.

  • Login to Cloudflare
  • Go to Crypto tab
  • Scroll down a bit, and you will see the TLS 1.3 option

What other Platform Support TLS 1.3?

I am aware of the following CDN.

  • CDN 77 –  Recently, they have announced to support from some of their POP (point of presence).
  • AKAMAI – AKAMAI has turned beta on network-wide.

How to Verify Site is Using TLS 1.3?

Once you’ve implemented through a web server or CDN then next you want to ensure your site is handshaking over TLS 1.3 protocol.

There are multiple ways to test it.

SSL Labs – enter your HTTPS URL and scroll down on the test result page.

You will see what all protocols are enabled.

Google Chrome – if you are enabling on intranet sites then you can test it right from Chrome browser.

  • Launch Chrome and enter below into the address bar
chrome://flags/#tls13-variant
  • Select “Enabled (Draft)

It will prompt to relaunch the browser.

  • Open Developer Tools
  • Go to security tab
  • Access HTTPS URL
  • Left side, select the main origin to see the protocol

And there you go!

Considering TLS 1.3 is still in draft mode, you may implement on your website but don’t forget to keep older version-enabled.

Having TLS 1.0, 1.1, 1.2 enabled will ensure client (browsers) can connect through other protocol versions if they are not compatible with 1.3

I hope this gives you an idea about latest TLS protocol.

Reader Interactions

Chandan Kumar
About Chandan
Chandan Kumar is the founder and editor of Geek Flare. Learn more here and connect with him on Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *