How to Enable TLS 1.3 in Apache and Nginx?

Transport Layer Security (TLS) 1.3 is the latest version of the TLS protocol, offering enhanced security, faster handshakes, and improved performance compared to previous versions. With increasing cyber threats, enabling TLS 1.3 on web servers like Apache and Nginx is crucial for protecting sensitive data during transmission between servers and clients.

TLS 1.3 provides several advantages including reduced latency, stronger encryption algorithms, and elimination of vulnerable legacy features. This article will guide you through the process of enabling TLS 1.3 on both Apache and Nginx web servers.

Prerequisites

Before enabling TLS 1.3, ensure that both your web server and OpenSSL library support this protocol. Apache 2.4.36+ and Nginx 1.13.0+ have built-in TLS 1.3 support. Additionally, OpenSSL 1.1.1 or later is required for TLS 1.3 functionality.

Enabling TLS 1.3 in Apache

Checking Apache Version Compatibility

First, verify your Apache version supports TLS 1.3 by running the following command ?

apache2ctl -v

If your Apache version is below 2.4.36, you need to upgrade before proceeding. Also check your OpenSSL version ?

openssl version

Updating OpenSSL (if required)

If your OpenSSL version is below 1.1.1, update it using your system's package manager ?

sudo apt-get update
sudo apt-get install openssl libssl-dev

For CentOS/RHEL systems ?

sudo yum update openssl openssl-devel

Configuring Apache for TLS 1.3

Edit your SSL configuration file (typically located at /etc/apache2/mods-enabled/ssl.conf or /etc/httpd/conf.d/ssl.conf) and add the following directives ?

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256

For TLS 1.3 only support, use ?

SSLProtocol TLSv1.3
SSLCipherSuite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

Restart Apache to apply the changes ?

sudo systemctl restart apache2

Enabling TLS 1.3 in Nginx

Checking Nginx Version Compatibility

Verify your Nginx version supports TLS 1.3 ?

nginx -v

Ensure you have Nginx 1.13.0 or later. Also verify OpenSSL version as mentioned earlier.

Configuring Nginx for TLS 1.3

Edit your Nginx configuration file (typically /etc/nginx/nginx.conf or your site-specific configuration) and add the following directives in the server block ?

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

For TLS 1.3 only support ?

ssl_protocols TLSv1.3;

Test the configuration and reload Nginx ?

sudo nginx -t
sudo systemctl reload nginx

Testing TLS 1.3 Configuration

After configuring TLS 1.3, it's essential to verify the setup works correctly. Use the following methods to test your configuration ?

Using OpenSSL Command

openssl s_client -connect yourdomain.com:443 -tls1_3

Using SSL Labs

Visit SSL Labs Server Test (ssllabs.com/ssltest) and enter your domain. The tool will provide a comprehensive report showing supported TLS versions, cipher suites, and security grade.

Using Browser Developer Tools

In Chrome or Firefox, open Developer Tools, navigate to the Security tab, and check the connection details to verify TLS 1.3 is being used.

Common Configuration Issues

Security Best Practices

• Always keep OpenSSL and web server software updated to the latest versions

• Disable older TLS versions (1.0, 1.1) that have known vulnerabilities

• Use strong cipher suites and prefer server-side cipher ordering when using TLS 1.2

• Regularly test your SSL/TLS configuration using automated tools

• Monitor security advisories for any protocol-specific vulnerabilities

Conclusion

Enabling TLS 1.3 in Apache and Nginx significantly improves website security and performance. The process involves verifying software compatibility, updating OpenSSL if necessary, and configuring the appropriate directives. Regular testing ensures your TLS 1.3 implementation remains secure and functional for all supported clients.