Enabling TLS 1.3 on Your Servers and CDNs: A Complete Guide

Have you heard about TLS 1.3? This updated transport layer security protocol promises improved encryption and faster page loads. As major sites like Facebook and Cloudflare roll out support, now is the perfect time to upgrade your own web infrastructure.

Content Navigation show

In this step-by-step guide, I‘ll show you how to configure Apache, Nginx, and Cloudflare to start using TLS 1.3‘s advanced cryptographic ciphers and optimized handshake. By the end, your site security will be boosted while latency decreases. Let‘s get started!

Why TLS 1.3 Matters

First, what changes does TLS 1.3 bring? Since being standardized in 2018, this new protocol aims to fix weaknesses and improve speed issues with previous TLS versions.

Specific benefits include:

  • Faster page loads through a condensed, 1 round trip handshake
  • Enhanced security via mandatory forward secrecy and modern ciphers
  • Resilience against common attacks like BEAST, LUCKY13, RC4 biases

Overall, websites using TLS 1.3 see better protection along with a performance boost!

Before we make configuration changes, it helps to know the state of adoption…

Current Browser Support

As of 2023, TLS 1.3 is supported broadly across modern web browsers:

Browser Versions Supported
Chrome Yes, since v70
Firefox Yes, since v63
Safari Yes, since v12

Legacy browsers still lag behind – Internet Explorer has no support planned. But over 75% of users enjoy TLS 1.3 compatible browsers. Expect this coverage to grow exponentially as new versions release.

Now let‘s get your servers ready to use TLS 1.3 when requested! We‘ll cover Nginx first…

Enabling TLS 1.3 on Nginx

Nginx unlocked support for TLS 1.3 starting in version 1.13.0

To confirm which version your server is running:

nginx -v

If the output shows 1.13.0 or later, great! If your install is older, I‘d recommend upgrading Nginx before enabling additional features.

Once on a supported version, edit your nginx.conf:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

Then gracefully restart Nginx to apply the changes: 

nginx -s reload

And that‘s it! Nginx will now allow TLS 1.3 handshakes in addition to prior TLS versions. Next I‘ll demonstrate how to monitor this in action…

Validating Nginx TLS 1.3 Usage

To confirm your Nginx server is correctly handling TLS 1.3 requests, examine the access logs.

Look for entries like this after reloading a page in Chrome:

1.2.3.4 TLSv1.3 256 hello

This shows the IP, protocol version, cipher strength, and selected cipher.

For performance metrics, Nginx‘s stub_status output will also report TLSv1.3 handshakes


           TLSv1.3 handshakes: 235
     TLSv1.3 renegotiations: 0
           TLSv1.2 handshakes: 12889
     TLSv1.2 renegotiations: 54

Comparing values before and after enabling 1.3 determines the protocol‘s real world adoption!

Now let‘s explore similar steps for Apache…

Setting up Apache HTTP with TLS 1.3

Apache gained official TLS 1.3 support in version 2.4.38



<h2>Conclusion and Next Steps</h2>

With protocol upgrades like TLS 1.3, staying current is key for speed and security. I walked through enabling TLS 1.3 on Apache, Nginx, and Cloudflare - now over 75% of your traffic can benefit! 

Look for more sites to adopt 1.3 in 2023. I‘ll be keeping my configurations up-to-date to ensure optimal performance and protection. Let me know if you have any other questions!
Tags: