How to Enable TLS 1.3 in Apache and Nginx?


With the increasing number of cyber attacks, securing websites and servers has become more important than ever. One of the most essential components of website security is Transport Layer Security (TLS), which encrypts data sent between web servers and clients. TLS 1.3 is the latest version of TLS, offering enhanced security, faster connections, and improved performance compared to previous versions.

The Importance of Enabling TLS 1.3 in Web Servers like Apache and Nginx

Web servers are responsible for handling sensitive information such as login credentials or personal data submitted through forms on websites they host. Enabling the latest version of TLS on web servers helps protect this information from being intercepted or tampered with during transit. Apache and Nginx are two popular open-source web server software packages used by millions worldwide for hosting websites on Linux-based operating systems such as Ubuntu or CentOS among others.

Enabling support for SSL/TLS protocols up-to-date like these packages will help increase security levels by allowing users only communicating with up-to-date cipher suites while accessing your hosted content through HTTPS protocol. In this article we will walk you through the exact steps to enable TLS 1.3 on both Apache and Nginx, so that you can ensure that your web server is using the latest and best encryption protocols available today.

Enabling TLS 1.3 in Apache

Checking Apache version compatibility with TLS 1.3

Before enabling TLS 1.3 in Apache, it is crucial to check whether the current version of Apache supports TLS 1.3. Starting from the version of Apache HTTP server 2.4.36, it has built-in support for TLS 1.3 by default, which means that you don't need to install any additional modules or patches to enable it. To check your current version of Apache HTTP server, open a terminal and run the following command −

apache2ctl -v 

If the output shows a version of Apache HTTP server that is lower than 2.4.36, you will need to upgrade your server before enabling TLS 1.3.

Updating OpenSSL to support TLS 1.3

Once you have verified that your version of Apache HTTP server supports TLS 1.3, the next step is to update OpenSSL to support it as well. OpenSSL is an open-source implementation for SSL and TLS protocols used by many web servers including Apache and Nginx.

To install and enable OpenSSL with TLS 1.3 support on Ubuntu or Debian-based systems run the following commands −

sudo apt-get update 
sudo apt-get install -y libssl-dev openssl cd /usr/local/src/ 
sudo wget sudo tar xzf openssl-1.X.Y.tar.gz && cd openssl-1.X.Y 
sudo ./config && make && make test && sudo make install_sw 

Make sure to replace "X" and "Y" with the appropriate versions of OpenSSL you want to install.

Configuring Apache to enable TLS 1.3

After installing and enabling OpenSSL with TLS 1.3 support, the next step is to configure Apache HTTP server to use it. To enable TLS 1.3 in Apache, you need to add the following lines of code to your SSL configuration file −

SSLProtocol TLSv1.3 
SSLCipherSuite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 

You can find the SSL configuration file at `/etc/apache2/mods-enabled/ssl.conf` or `/etc/httpd/conf.d/ssl.conf` depending on your system.

Testing the configuration using SSL Labs or other tools

After configuring Apache HTTP server with TLS 1.3 support, it is essential to test the connection using online tools such as SSL Labs. SSL Labs provides a free online tool that checks for potential vulnerabilities in web servers and ranks them according to their security level.

You can use this tool to verify that your Apache HTTP server supports TLS 1.3 and that there are no security risks associated with enabling it. Enabling TLS 1.3 on Apache HTTP server can improve your website's security by providing faster connection speeds and stronger encryption protocols for users' data transmissions.

Enabling TLS 1.3 in Nginx

Checking Nginx version compatibility with TLS 1.3

Before enabling TLS 1.3 in Nginx, it is important to check the version compatibility of your Nginx server with TLS 1.3 protocol. To enable TLS 1.3, you need to have at least version 1.13.0 of Nginx installed on your server as this is the first version that added support for TLS 1.3 protocol. To check the version of your Nginx server, use the following command in your terminal −

nginx -v 

This will show you the current version of your installed Nginx server.

Updating OpenSSL to support TLS 1.3

To enable TLS 1.3 on your Nginx server, you also need to update OpenSSL on your system as it provides cryptographic support for SSL/TLS protocols. Firstly, find out whether you already have OpenSSL installed on your system by using this command −

openssl version -a 

If it returns a result then it means that OpenSSL is already installed on your system along with its currently installed version. To upgrade OpenSSL to its latest stable release with support for TLS 1.3, you can use any relevant package manager such as apt or yum depending on which Linux distribution you are using.

Configuring Nginx to enable TLS 1.3 using the ssl_protocols directive

Once you have updated SSL and confirmed that everything is working fine, it's time now to configure your nginx server to enable TLSv1.2 and/or vTLSv1. The configuration process is quite simple - all we need is just one line `ssl_protocols`, which we will add inside our nginx configuration file.

The location of this file may vary depending on your system. By default, it should be located at `/etc/nginx/nginx.conf`, but it can also be found in `/usr/local/etc/nginx` or `/usr/local/nginx/conf`.

Firstly, open the configuration file using any text editor. Then add the following line in the `http` block −

ssl_protocols TLSv1.3; 

This will enable TLS 1.3 for your Nginx server.

Testing the configuration using SSL Labs or other tools

After configuring and enabling TLS 1.3 on your Nginx server, it's essential to test whether the setup works as expected or not. There are several tools available that you can use to test your SSL/TLS configuration, such as Qualys SSL Labs, High-Tech Bridge’s SSL/TLS Security Scanner, or SSL Server Test by ImmuniWeb.

SSL Server Test by ImmuniWeb is one of the most comprehensive online tools for testing SSL/TLS configuration and provides a detailed report on how well your server performs against different security standards and protocols. To test your Nginx server with this tool, simply visit their website and enter your domain name in the provided field.

Once done, click on "Start Test" to initiate the scanning process. Once completed successfully, you will receive a detailed report showing whether everything is configured correctly or if there are any vulnerabilities detected that require fixing.


Enabling TLS 1.3 in Nginx is a simple process that involves updating OpenSSL to its latest version before configuring nginx to accept traffic over TLSv1.3 protocol using ssl_protocol directive inside nginx configuration files.There are multiple steps involved in enabling TLSv1.3 such as checking Nginx compatibility with this version of protocol , updating OpenSSL library , configuring ssl_protocol directive etc. Once TLSv1.3 is enabled, you should perform a thorough testing of your SSL/TLS configuration to ensure maximum security for your website visitors.

Updated on: 08-Jun-2023


Kickstart Your Career

Get certified by completing the course

Get Started