I have Ubuntu 18.04, Nginx version 1.17.6, OpenSSL version 1.1.1 . - I believe those satisfy requirements for TLS 1.3.

In my /etc/nginx/nginx.conf file I added TLSv1.3 like so:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; 

I have not changed anything in */etc/nginx/sites-available/website.com
*
.

When I test my site in SSL Labs and elsewhere, TLSv1.3 is not working.

I checked nginx -V, and –with-openSSL argument is not listed. Not sure if I have to rebuild my nginx with that flag.

Any pointers would be appreciated

1 comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hello, @geochanto

May I ask if you’ve also updated the SSL ciphers as well? You should be able to enable TLS 1.3 using the following steps:

Open your Nginx server block file in /etc/nginx/conf.d/ directory or /etc/nginx/sites-enabled/ directory. Find the following line.

ssl_protocols  TLSv1.2;

Add TLSv1.3 to the list of protocols.

ssl_protocols TLSv1.2 TLSv1.3;

Then add the following 3 cipher suites to your existing cipher suites.

TLS-CHACHA20-POLY1305-SHA256
TLS-AES-256-GCM-SHA384
TLS-AES-128-GCM-SHA256

like so:

ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

Save and close the file. Then test Nginx configuration and reload.

sudo nginx -t
sudo systemctl reload nginx

Hope this helps!

Regards,
Alex

Submit an Answer