How do I enable and configure TLS 1.2 and 1.3 only in Nginx web server?
TLS is an acronym for Transport Layer Security. It is cryptographic protocols designed to provide network communications security. TLS used by websites and other apps such as IM (instant messaging), email, web browsers, VoIP, and more to secure all communications between their server and client. This page explains how to enable and configure Nginx to use TLS 1.2 and 1.3 version only.
| Tutorial requirements | |
|---|---|
| Requirements | Nginx running on Linux/Unix with OpenSSL | 
| Root privileges | Yes | 
| Difficulty | Easy | 
| Est. reading time | 10m | 
| Table of contents 1 Configuration 2 Minimum requirments for TLS 1.2 3 Set up TLS 1.2 in Nginx 4 Configure TLS 1.3 in Nginx 5 Test it 6 Conclusion | 
ADVERTISEMENT
https://securepubads.g.doubleclick.net/gampad/ads?iu=%2F1010897%2Fnix_cbz_336_280_af_con&adk=1320188726&sz=336×280%7C300x250&output=html&impl=ifr&ifi=2&msz=646x-1&psz=646x-1&fws=4&adf=3110932864&nhd=0&adx=427&ady=1146&oid=2&ptt=13&gdfp_req=1&sfv=1-0-37&u_sd=1&artc=74&ati=8&ard=aps&is_amp=3&_v=2201141909001&d_imp=1&c=779009292&ga_cid=amp-gYDZEV7-z7HPnI_mwY9Fhg&ga_hid=9292&dt=1643186902688&biw=1600&bih=767&u_aw=1600&u_ah=900&u_cd=24&u_w=1600&u_h=900&u_tz=480&u_his=4&vis=1&scr_x=0&scr_y=0&bc=7&url=https%3A%2F%2Fwww.cyberciti.biz%2Ffaq%2Fconfigure-nginx-to-use-only-tls-1-2-and-1-3%2F&ref=https%3A%2F%2Fipv6.google.com%2F&bdt=177690&dtd=87&aet=n&__amp_source_origin=https%3A%2F%2Fwww.cyberciti.biz
How to configure and enable Nginx to use TLS 1.2 and 1.3
- Open the terminal application
- Login to Nginx server using the ssh command
- Edit nginx.conf file or virtual domain config file
- Set TLS version by editing ssl_protocols TLSv1.2;
- For TLS version 1.3 by add ssl_protocols TLSv1.3;
- We can combine and only allow TLS 1.2 and 1.3 in Nginx by setting: ssl_protocols TLSv1.2 TLSv1.3;
- Save and close the file
- Restart or reload the Nginx server.
- Test it.
A note about our set up for TLS 1.2 or 1.3 only in Nginx web server
I tested the server configuration with the following components:
- Nginx version 1.14.2
- OpenSSL version 1.1.0
As a result, this config option works the following clients only:
- Supports Firefox 27+
- Android 4.4.2+
- Chrome 31+
- Edge, IE 11 on Windows 7 or above
- Java 8u31
- OpenSSL 1.0.1
- Opera 20+
- Safari 9+
In other words, an older client from Windows XP or an older version of Android/Java won’t work.
A note about TLS 1.3
TLS 1.3 only supports Firefox 63+, Android 10.0+, Chrome 70+, Edge 75, Java 11, OpenSSL 1.1.1, Opera 57, and Safari 12.1. Hence, I recommend enabling both 1.2 and 1.3 support in Nginx.
How to check Nginx version
Type:$ nginx -V
$ nginx -v
nginx version: nginx/1.16.1
How to check OpenSSL version
Run:$ openssl version
OpenSSL 1.1.1d 10 Sep 2019
How To enable TLS 1.2 only in Nginx web server
Edit the nginx.conf:$ sudo vi /etc/nginx/nginx.conf
OR edit the virtual host:$ sudo vi /etc/nginx/vhosts.d/cyberciti.biz
Update/append as follows:
Please note that the TLSv1.1 and TLSv1.2 parameters (1.1.13, 1.0.12) work only when OpenSSL 1.0.1 or higher is used. The TLSv1.3 parameter (1.13.0) works only when OpenSSL 1.1.1 built with TLSv1.3 support is used.
server {
    listen 443 ssl http2;
    server_name www.cyberciti.biz cyberciti.biz
 
    # Path to certs
    ssl_certificate /etc/nginx/ssl/cyberciti.biz.csr;
    ssl_certificate_key /etc/nginx/ssl/cyberciti.biz.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MySSL:10m;
    ssl_session_tickets off;
    ssl_dhparam /etc/nginx/ssl/cyberciti.biz.dhparam.pem;
 
 
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
 
    # HSTS 
    add_header Strict-Transport-Security "max-age=63072000" always;
 
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
 
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;
 
    # replace with the IP address of your resolver
    resolver 1.1.1.1;
 
    ## rest of config ##
}
Save and close the file.
How to Enable TLS 1.3 in Nginx
For both TLS version 1.2 and 1.3 use the following in nginx config file:
ssl_protocols TLSv1.2 TLSv1.3;
Just enable TLS version 1.3 in nginx:
ssl_protocols TLSv1.3;
Here is sample config for TLS 1.3 only:
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server www.cyberciti.biz;
 
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SharedNixCraftSSL:10m; 
    ssl_session_tickets off;
 
    # TLS 1.3 only
    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;
 
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
 
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
 
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;
 
    # replace with the IP address of your resolver
    resolver 8.8.8.8;
}
Reload or restart the nginx
Now that server configured. It is time to test our nginx config server for syntax errors:$ nginx -t
Sample outputs:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Reload or restart the nginx server:$ sudo systemctl restart nginx
## OR ##
$ sudo service nginx restart
Test Nginx TLS 1.2 support
Run the curl command as follows (replace www.cyberciti.biz domain with your actual domain name):$ curl -I -v --tlsv1.2 --tls-max 1.2 https://www.cyberciti.biz/
Test Nginx TLS 1.3 support
$ curl -I -v --tlsv1.3 --tls-max 1.3 https://www.cyberciti.biz/
* Trying 104.20.187.5:443... * TCP_NODELAY set * Connected to www.cyberciti.biz (104.20.187.5) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=cyberciti.biz * start date: Nov 28 00:00:00 2019 GMT * expire date: Oct 9 12:00:00 2020 GMT * subjectAltName: host "www.cyberciti.biz" matched cert's "*.cyberciti.biz" * issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x558d280211d0) > HEAD / HTTP/2 > Host: www.cyberciti.biz > User-Agent: curl/7.65.3 > Accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * Connection state changed (MAX_CONCURRENT_STREAMS == 256)! < HTTP/2 200 HTTP/2 200 < date: Sun, 01 Dec 2019 19:51:39 GMT date: Sun, 01 Dec 2019 19:51:39 GMT < content-type: text/html; charset=UTF-8 content-type: text/html; charset=UTF-8 < set-cookie: __cfduid=d0754cfef8441ee725af158ad808a62211575229899; expires=Tue, 31-Dec-19 19:51:39 GMT; path=/; domain=.cyberciti.biz; HttpOnly; Secure set-cookie: __cfduid=d0754cfef8441ee725af158ad808a62211575229899; expires=Tue, 31-Dec-19 19:51:39 GMT; path=/; domain=.cyberciti.biz; HttpOnly; Secure < strict-transport-security: max-age=15552000 strict-transport-security: max-age=15552000 < x-whome: l-cbz04 x-whome: l-cbz04 < cf-cache-status: HIT cf-cache-status: HIT < age: 126265 age: 126265 < x-content-type-options: nosniff x-content-type-options: nosniff < alt-svc: h3-23=":443"; ma=86400 alt-svc: h3-23=":443"; ma=86400 < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < server: cloudflare server: cloudflare < cf-ray: 53e798d6081edc89-MAA cf-ray: 53e798d6081edc89-MAA < * Connection #0 to host www.cyberciti.biz left intact
Patreon supporters only guides 🤓
- No ads and tracking
- In-depth guides for developers and sysadmins at Opensourceflare✨
- Join my Patreon to support independent content creators and start reading latest guides:- How to set up Redis sentinel cluster on Ubuntu or Debian Linux
- How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
- How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
- A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
- How to protect Linux against rogue USB devices using USBGuard
- If your domain is not sending email, set these DNS settings to avoid spoofing and phishing
 
Test Nginx TLS 1.1/1.0 support (must fail)
In this final example, check and use Nginx use TLS 1.0/1.1:$ curl -I -v --tlsv1 --tls-max 1.0 https://www.cyberciti.biz/
$ curl -I -v --tlsv1.1 --tls-max 1.1 https://www.cyberciti.biz/
Understanding the curl command options
- -I : Show document header info only
- -v : Verbose outputs
- --tlsv1, --tlsv1.0, --tlsv1.1, --tlsv1.2, --tlsv1.3: Use given TLS version
- --tls-max VERSION : Set maximum allowed TLS version
See curl man page here or type the following man command:$ man curl
Conclusion
You successfully configured and enabled TLS 1.{2,3} with the Nginx web server running on Linux or Unix like systems. See Nginx web server docs here for more info.
This entry is 10 of 13 in the Secure Web Server with Let’s Encrypt Tutorial series. Keep reading the rest of the series:
- Set up Lets Encrypt on Debian/Ubuntu Linux
- Secure Lighttpd with Lets Encrypt certificate on Debian/Ubuntu
- Configure Nginx with Lets Encrypt certificate on Alpine Linux
- Nginx with Lets Encrypt on CentOS 7
- Apache with Lets Encrypt Certificates on RHEL 8
- CentOS 8 and Apache with Lets Encrypt Certificates
- Install Lets Encrypt certificates on CentOS 8 for Nginx
- Forcefully renew Let’s Encrypt certificate
- OpenSUSE Linux and Nginx with Let’s Encrypt Certificates
- Configure Nginx to use TLS 1.2 / 1.3 only
- Let’s Encrypt wildcard certificate with acme.sh and Cloudflare DNS
- Nginx with Let’s Encrypt on Ubuntu 18.04 with DNS Validation
- AWS Route 53 Let’s Encrypt wildcard certificate with acme.sh
🐧 Get the latest tutorials on Linux, Open Source & DevOps via
RSS feed ➔    Weekly email newsletter ➔
Related Tutorials
- Nginx: SPDY SSL Installation and Configuration On a…
- How to install and use Nginx on CentOS 8
- OpenSUSE install Brotli module for Nginx
- How to install and use Nginx on OpenSUSE Linux server
- How to secure Nginx with Let’s Encrypt on OpenSUSE 15.1/15.2
- How to install and setup Nginx on Debian Linux 9
- RHEL / Centos 6 – Install Nginx Using Yum Command
| Category | List of Unix and Linux commands | 
|---|---|
| Download managers | wget | 
| Documentation | help • mandb • man • pinfo | 
| Disk space analyzers | df • duf • ncdu • pydf | 
| File Management | cat • cp • less • mkdir • more • tree | 
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 | 
| Linux Desktop apps | Skype • Spotify • VLC 3 | 
| Modern utilities | bat • exa | 
| Network Utilities | NetHogs • dig • host • ip • nmap | 
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 | 
| Package Manager | apk • apt | 
| Processes Management | bg • chroot • cron • disown • fg • glances • gtop • iotop • jobs • killall • kill • pidof • pstree • pwdx • time • vtop | 
| Searching | ag • grep • whereis • which | 
| Shell builtins | compgen • echo • printf | 
| Text processing | cut • rev | 
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w | 
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 | 
Comments on this entry are closed.
frome:Vivek Gite
回复 yxbinghe 取消回复