Hi, I want to know how can i enable TLS 1.3 on my server? from which nginx version(openssl) its supported? also how to enable 0-RTT feature as well?
thanks in advance.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Right now, the latest mainline version of NGINX does not provide out-of-box support from TLSv1.3. CloudFlare has introduced it as a beta feature (if you’re using them for DNS), though NGINX support isn’t fully supported just yet.
That being said, a typical NGINX configuration file that handles requests on both port 80 and 443, in that requests on 80 are automatically redirected to 443, will look like this:
server {
listen 80;
server_name yourdomain.com www.youdomain.com;
return 301 https://$host$request_uri;
}
server
{
listen 443 ssl http2;
listen [::]:443 ssl http2 ipv6only=on;
server_name yourdomain.com www.youdomain.com;
root /path/to/web/root;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_dhparam /path/to/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
location / {
...
...
}
}
Breakdown
You need to change:
server_name on both blocks to match your actual domain.
root to the full path to your web root.
ssl_certificate to the full path of your SSL Certificate.
ssl_certificate_key to the full path of your SSL Certificate Private Key.
ssl_dhparam to the full path of your dhparam.pem file.
location block to match your site-specific needs.
Generating dhparam.pem
To generate the dhparam.pem file, you’ll need to login to the CLI and run the following command. It can take a while on low-resource systems (i.e. 512MB Droplets) and to make sure it fully generates, do not close off your connection until you return to the prompt.
The minimum is 2048 bits:
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
… though I personally recommend 4096
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
This file will take anywhere from 10 minutes up to 30 minutes (generally), so please be patient.
After the changes to your server block have been made, as noted above (correcting paths), simply restart NGINX and test things out.
Keep In Mind
The above configuration may not be valid on all releases of NGINX (especially HTTP2 support). I’m using the latest mainline built from source, which supports HTTP2.
If you run in to issues (i.e. errors) stating that the configuration is invalid, remove the references to HTTP2 in the first two lines of the second server block.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.