{"id":3889,"date":"2019-11-03T17:09:06","date_gmt":"2019-11-03T23:09:06","guid":{"rendered":"https:\/\/dev.iachieved.it\/iachievedit\/?p=3889"},"modified":"2019-11-04T07:27:25","modified_gmt":"2019-11-04T13:27:25","slug":"tls-1-3-with-nginx-and-ubuntu-18-04-lts","status":"publish","type":"post","link":"https:\/\/dev.iachieved.it\/iachievedit\/tls-1-3-with-nginx-and-ubuntu-18-04-lts\/","title":{"rendered":"TLS 1.3 with NGINX and Ubuntu 18.04 LTS"},"content":{"rendered":"<p><a href=\"https:\/\/www.openssl.org\/blog\/blog\/2018\/09\/11\/release111\/\">OpenSSL 1.1.1<\/a> is now available to <b>Ubuntu 18.04 LTS<\/b> with the release of <a href=\"https:\/\/lists.ubuntu.com\/archives\/ubuntu-announce\/2019-August\/000248.html\">18.04.3<\/a>.  This porting of OpenSSL 1.1.1 has opened up the ability to run with <a href=\"https:\/\/ietf.org\/blog\/tls13\/?\"><b>TLS 1.3<\/b><\/a> on your Ubuntu 18.04 LTS <a href=\"https:\/\/nginx.org\/\">NGINX<\/a>-powered webserver.  To add TLS 1.3 support to your existing NGINX installation, first upgrade your Ubuntu 18.04 LTS server to 18.04.3, and then find the <code>ssl_protocols<\/code> directive for NGINX and add <code>TLSv1.3<\/code> at the end:<\/p>\n<pre>\nssl_protocols TLSv1.2 TLSv1.3;\n<\/pre>\n<p>Restart NGINX with <code>systemctl restart nginx<\/code>.<\/p>\n<p>It really is as simple as that!  If your browser supports TLS 1.3 (and all major browsers do as of November 2019 with the notable exception of <a href=\"https:\/\/developer.microsoft.com\/en-us\/microsoft-edge\/platform\/status\/tls13\/\">Microsoft Edge<\/a>) it will negotiate to it.  As of this writing (November 2019), you would not want to disable TLSv1.2.  Odds are you will break tools such as <a href=\"https:\/\/curl.haxx.se\/\">cURL<\/a> and other HTTPS agents accessing your site.  Here&#8217;s an example of what that looks like for <code>curl<\/code> on macOS 10.14.6 (Mojave):<\/p>\n<pre>\ncurl: (35) A bad protocol version was encountered\n<\/pre>\n<p>In other words, the stock macOS 10.14.6 <code>curl<\/code> cannot establish a connection with a webserver running <i>only<\/i> TLS 1.3.<\/p>\n<h2>Enabling 0-RTT<\/h2>\n<p>There are a lot of compelling features to TLS 1.3, one of them being <a href=\"https:\/\/blog.cloudflare.com\/introducing-0-rtt\/\">0-RTT<\/a> for performance gains in establishing a connection to the webserver.  NGINX enables TLS 1.3 0-RTT if the configuration parameter <code>ssl_early_data<\/code> is set to <code>on<\/code>.  If you are using the stock NGINX provided by Ubuntu 18.04 LTS 0-RTT is not supported.  Let&#8217;s upgrade to the version provided by the <a href=\"https:\/\/launchpad.net\/~nginx\/+archive\/ubuntu\/stable\">NGINX PPA<\/a> and enable it.<\/p>\n<pre>\n# sudo add-apt-repository ppa:nginx\/stable\n# sudo apt-get update\n# sudo apt-get upgrade \n<\/pre>\n<p>Go back to your NGINX configuration and place the <code>ssl_early_data<\/code> directive near all of the other <code>ssl_<\/code> directives, like this:<\/p>\n<pre class=\"lang:default decode:true\">\n# SSL Settings\nssl_protocols TLSv1.2 TLSv1.3;\nssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;\nssl_prefer_server_ciphers off;\nssl_early_data on;\n<\/pre>\n<p>Now, all that being said, 0-RTT is not something you will want to enable without careful consideration.  The &#8220;early&#8221; in SSL early data comes from the idea that if the client already has a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Pre-shared_key\">pre-shared key<\/a>, it can reuse the key.  <a href=\"https:\/\/blog.trailofbits.com\/2019\/03\/25\/what-application-developers-need-to-know-about-tls-early-data-0rtt\/\">This<\/a> is a great post outlining the benefits, and risks, of enabling 0-RTT.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>OpenSSL 1.1.1 is now available to Ubuntu 18.04 LTS with the release of 18.04.3. This porting of OpenSSL 1.1.1 has opened up the ability to run with TLS 1.3 on your Ubuntu 18.04 LTS NGINX-powered webserver. To add TLS 1.3 support to your existing NGINX installation, first upgrade your Ubuntu 18.04 LTS server to 18.04.3, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3547,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,72,85,71],"tags":[96],"class_list":["post-3889","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops","category-nginx","category-tls-1-3","category-ubuntu","tag-ubuntu-18-04-nginx-tls-1-3"],"_links":{"self":[{"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/posts\/3889"}],"collection":[{"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/comments?post=3889"}],"version-history":[{"count":14,"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/posts\/3889\/revisions"}],"predecessor-version":[{"id":3904,"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/posts\/3889\/revisions\/3904"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/media\/3547"}],"wp:attachment":[{"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/media?parent=3889"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/categories?post=3889"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/tags?post=3889"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}