Enable TLS 1.3 on nginx

Hi, I want to know how can i enable TLS 1.3 on my server? from which nginx version(openssl) its supported? also how to enable 0-RTT feature as well?

thanks in advance.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.


Right now, the latest mainline version of NGINX does not provide out-of-box support from TLSv1.3. CloudFlare has introduced it as a beta feature (if you’re using them for DNS), though NGINX support isn’t fully supported just yet.

That being said, a typical NGINX configuration file that handles requests on both port 80 and 443, in that requests on 80 are automatically redirected to 443, will look like this:

server {
    listen 80;

    return 301 https://$host$request_uri;

    listen                          443 ssl http2;
    listen                          [::]:443 ssl http2 ipv6only=on;
    server_name           ;

    root                            /path/to/web/root;

    add_header                      X-Frame-Options SAMEORIGIN;
    add_header                      X-Content-Type-Options nosniff;
    add_header                      X-XSS-Protection "1; mode=block";

    ssl_certificate                 /path/to/fullchain.pem;
    ssl_certificate_key             /path/to/privkey.pem;
    ssl_session_cache               shared:SSL:50m;
    ssl_session_timeout             5m;
    ssl_dhparam                     /path/to/dhparam.pem;

    ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers       on;


    location / {


You need to change:

server_name on both blocks to match your actual domain.

root to the full path to your web root.

ssl_certificate to the full path of your SSL Certificate.

ssl_certificate_key to the full path of your SSL Certificate Private Key.

ssl_dhparam to the full path of your dhparam.pem file.

location block to match your site-specific needs.

Generating dhparam.pem

To generate the dhparam.pem file, you’ll need to login to the CLI and run the following command. It can take a while on low-resource systems (i.e. 512MB Droplets) and to make sure it fully generates, do not close off your connection until you return to the prompt.

The minimum is 2048 bits:

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

… though I personally recommend 4096

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

This file will take anywhere from 10 minutes up to 30 minutes (generally), so please be patient.

After the changes to your server block have been made, as noted above (correcting paths), simply restart NGINX and test things out.

Keep In Mind

The above configuration may not be valid on all releases of NGINX (especially HTTP2 support). I’m using the latest mainline built from source, which supports HTTP2.

If you run in to issues (i.e. errors) stating that the configuration is invalid, remove the references to HTTP2 in the first two lines of the second server block.

Hello! Any update?

Any update?