Question

Enable TLSv1.3 in nginx (laravel forge)

How do I enable TLSv1.3 in nginx (server is setup using laravel forge)

In /etc/nginx/nginx.conf I have ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; and nginx is restarted

And in the vhost of the website itself I changed ssl_protocols TLSv1.2; to ssl_protocols TLSv1.2 TLSv1.3;

I requested a new LetsEncrypt certificate.

After testing it still not enabled and still uses TLSv1.2 curl -I -v --tlsv1.3 --tls-max 1.3 https://website

What am I missing, I think I looked at each article on the internet.

nginx version: nginx/1.17.3 openssl version: OpenSSL 1.1.1 11 Sep 2018 (Library: OpenSSL 1.1.1d 10 Sep 2019)

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys
Site Moderator
Site Moderator badge
April 26, 2023

Hello,

You have the correct ssl_protocols setting in your configuration file, but you also need to make sure that you are using an OpenSSL version that supports TLSv1.3.

You mentioned that you are using OpenSSL 1.1.1d, which does support TLSv1.3. However, you also need to make sure that your Nginx is compiled with this version of OpenSSL.

  1. Check the Nginx version and compilation options by running:
  1. nginx -V
  1. Look for the --with-openssl flag in the output. If it’s not there or pointing to an older version of OpenSSL, you will need to recompile Nginx with the correct OpenSSL version.
  2. If you need to recompile Nginx, first install the required dependencies:
  1. sudo apt-get update

  2. sudo apt-get install build-essential libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev
  1. Download the latest version of Nginx and OpenSSL:
  1. wget https://nginx.org/download/nginx-1.17.3.tar.gz

  2. wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
  1. Extract both packages:
  1. tar -xzf nginx-1.17.3.tar.gz

  2. tar -xzf openssl-1.1.1d.tar.gz
  1. Navigate to the Nginx directory and compile Nginx with the correct OpenSSL version:
  1. cd nginx-1.17.3 ./configure --with-openssl=../openssl-1.1.1d --with-http_ssl_module make sudo make install
  1. Update your Nginx configuration files, as you mentioned in your question, to include TLSv1.3:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  1. Test the Nginx configuration and restart the Nginx service:
  1. sudo nginx -t

  2. sudo systemctl restart nginx
  1. Test TSL version
  1. curl -I -v --tlsv1.3 --tls-max 1.3 https://yourwebsite.com

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up