TLS 1.3 is the latest version of the Transport Layer Security protocol, it’s based on the existing 1.2 specifications with proper IETF standard: RFC 8446. It provides stronger security and higher performance improvements over its predecessors.
Requirements
Nginx version 1.13.0 or greater.
Apache version 2.4.37 or greater.
OpenSSL version 1.1.1 or greater.
A valid domain name with correctly configured DNS records.
A valid TLS certificate.
Install TLS Certificate from Let’s Encrypt
To obtain a free SSL Certificate from Let’s Encrypt, you need to install Acme.sh client and also few needed packages on Linux system as shown.
apt install -y socat git [On Debian/Ubuntu]
dnf install -y socat git [On RHEL/CentOS/Fedora]
mkdir /etc/letsencrypt
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install --home /etc/letsencrypt --accountemail
your_email@example.com
cd ~
/etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d
example.com --ocsp-must-staple --keylength 2048
/etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength ec-256NOTE: Replace example.com in the above command with your own domain name
Now Just you need to enable TLS 1.3 on your domain as explained below
Enable TLS 1.3 on Nginx
As I mentioned in the requirements above, that TLS 1.3 is supported starting from Nginx 1.13 version. If you are running the older Nginx version, you need to first upgrade to the latest version.
apt install nginx
yum install nginxCheck the Nginx version and the OpenSSL version against which Nginx was compiled (make sure that the nginx version is at least 1.14 and openssl version 1.1.1).
nginx -VSimple output
nginx version: nginx/1.14.1
built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC)
built with OpenSSL 1.1.1 FIPS 11 Sep 2018
TLS SNI support enabledJust you need to start by enabling and verifying the Nginx installation
systemctl start nginx.service
systemctl enable nginx.service
systemctl status nginx.serviceThen open the Nginx vhost configuration
vi /etc/nginx/conf.d/example.com.confNote: you can edit the vhost configuration file with any editor like nano
Now locate ssl_protocols directive and append TLSv1.3 at the end of the line as shown below
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
}Last step, verify the configuration and reload Nginx
nginx -t
systemctl reload nginx.serviceEnable TLS 1.3 in Apache
Note: If you are running the older version of Apache, you need to first upgrade to the latest version.
Please remember apache version on the requirements list
Apache version 2.4.37 or greater
to upgrade your apache to the latest version please apply the following commands
apt install apache2
yum install httpdOnce installed, you can verify the Apache and the OpenSSL version against which Apache was compiled.
httpd -V
openssl versionNow start by enabling and verifying the Apache installation
-------------- On Debian/Ubuntu --------------
systemctl start apache2.service
systemctl enable apache2.service
systemctl status apache2.service
-------------- On RHEL/CentOS/Fedora --------------
systemctl start httpd.service
systemctl enable httpd.service
systemctl status httpd.serviceThen open the Apache virtual host configuration file using your favorite editor.
vi /etc/httpd/conf.d/vhost.conf
OR
vi /etc/apache2/apache2.confand locate ssl_protocols directive and append TLSv1.3 at the end of the line as shown below.
<VirtualHost *:443>
SSLEngine On
# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
ServerAdmin admin@example.com
ServerName www.example.com
ServerAlias example.com
#DocumentRoot /data/httpd/htdocs/example.com/
DocumentRoot /data/httpd/htdocs/example_hueman/
# Log file locations
LogLevel warn
ErrorLog /var/log/httpd/example.com/httpserror.log
CustomLog "|/usr/sbin/rotatelogs /var/log/httpd/example.com/httpsaccess.log.%Y-%m-%d 86400" combined
</VirtualHost>Finally, verify the configuration and reload Apache
-------------- On Debian/Ubuntu --------------
apache2 -t
systemctl reload apache2.service
-------------- On RHEL/CentOS/Fedora --------------
httpd -t
systemctl reload httpd.service
How to verify that your website is working with TLS
You can verify that the TLS is working by tapping your website with https like the following example:
https://www.lgvps.com
in the top bar of your browser, you will see that the connection is secured as shown in the following screenshot
that’s all you need to secure your website connection via TLS1.3.If you need help please don’t hesitate to leave a reply.
Best Regards