TLS 1.3 with NGINX and Ubuntu 18.04 LTS

Categories:

OpenSSL 1.1.1 is now available to Ubuntu 18.04 LTS with the release of 18.04.3. This porting of OpenSSL 1.1.1 has opened up the ability to run with TLS 1.3 on your Ubuntu 18.04 LTS NGINX-powered webserver. To add TLS 1.3 support to your existing NGINX installation, first upgrade your Ubuntu 18.04 LTS server to 18.04.3, and then find the ssl_protocols directive for NGINX and add TLSv1.3 at the end:

Restart NGINX with systemctl restart nginx.

It really is as simple as that! If your browser supports TLS 1.3 (and all major browsers do as of November 2019 with the notable exception of Microsoft Edge) it will negotiate to it. As of this writing (November 2019), you would not want to disable TLSv1.2. Odds are you will break tools such as cURL and other HTTPS agents accessing your site. Here’s an example of what that looks like for curl on macOS 10.14.6 (Mojave):

In other words, the stock macOS 10.14.6 curl cannot establish a connection with a webserver running only TLS 1.3.

Enabling 0-RTT

There are a lot of compelling features to TLS 1.3, one of them being 0-RTT for performance gains in establishing a connection to the webserver. NGINX enables TLS 1.3 0-RTT if the configuration parameter ssl_early_data is set to on. If you are using the stock NGINX provided by Ubuntu 18.04 LTS 0-RTT is not supported. Let’s upgrade to the version provided by the NGINX PPA and enable it.

Go back to your NGINX configuration and place the ssl_early_data directive near all of the other ssl_ directives, like this:

Now, all that being said, 0-RTT is not something you will want to enable without careful consideration. The “early” in SSL early data comes from the idea that if the client already has a pre-shared key, it can reuse the key. This is a great post outlining the benefits, and risks, of enabling 0-RTT.

3 thoughts on “TLS 1.3 with NGINX and Ubuntu 18.04 LTS”

  1. Hi,
    last week I made the point 2 upgrade of Ubuntu 18.04 LTS on server with Plesk 17.8.11.
    I was excited about the long-promised upgrade to OpenSSL 1.1.1 with TLS 1.3 support.
    But Ubuntu 18.04 point 2 upgrade didn’t change OpenSSL 1.1.0g version at all.
    I read several docs from Canonical and other sources. Is it correct that we have to do it ourselves?

    1. Yes, Ubuntu 18.04.2 does not include the necessary support for TLS1.3 whereas Ubuntu 18.04.3 does. You will want to go ahead and upgrade and, if possible, go to Ubuntu 18.04.4 which is available as of May 2020.

Leave a Reply

Your email address will not be published. Required fields are marked *