Upgrading to TLSv1.3: A Step-by-Step Guide
It’s been almost six months since we’ve had the opportunity to experience the HTTPS protocol with TLSv1.3. Earlier this year, we encountered several challenges when attempting to enable TLSv1.3 support on our LNMP server. However, with the recent introduction of TLSv1.3 support by CDN providers, we’re now able to officially enable TLSv1.3 on our server. In this article, we’ll guide you through the process of upgrading to TLSv1.3 on your LNMP server.
Background
As you may know, TLSv1.3 is the latest version of the Transport Layer Security protocol, offering faster, safer, and more efficient connections. However, its adoption has been slow due to limited support from browser vendors and CDN providers. In fact, just a few months ago, CDN support for TLSv1.3 was rare, and even the client browser support was scarce.
LNMP Moon Environment
We’re currently using the LNMP 1.5 official version, which supports TLSv1.3. To enable TLSv1.3 support, we need to upgrade OpenSSL to a version that supports TLSv1.3. OpenSSL has released several drafts that support TLSv1.3, with Draft 18 and 19 being compatible with many current browser vendors. In theory, we can upgrade OpenSSL to Draft 18, which would enable TLSv1.3 support on our server.
Upgrading OpenSSL
To upgrade OpenSSL, we need to modify the LNMP configuration file (lnmp.conf) located in the root directory of our LNMP installation. We need to add the following code to the file:
Nginx_Modules_Options '-Threads --with-with-OpenSSL=/root/lnmp1.5/src/openssl-master --with-OpenSSL-opt=tls1_3-enable'
Enable_Nginx_OpenSSL = 'n'
Enable_PHP_Fileinfo = 'n'
Enable_Nginx_Lua = 'n'
This code tells the compiler to use the new version of OpenSSL (located in /root/lnmp1.5/src/openssl-master) and enable TLSv1.3 support.
Recompiling Nginx
After modifying the configuration file, we need to recompile Nginx to experience TLSv1.3 support. This can be done by running the following command:
make
Configuring Nginx SSL
Once we’ve recompiled Nginx, we need to configure the SSL settings in the Nginx configuration file (nginx.conf). We need to specify the protocols and algorithms to use for TLSv1.3. This is documented in the article “LNMP Support Process Enabled under TLSv1.3” (refer to the article for detailed instructions).
Current OpenSSL Version
As of now, we’re using OpenSSL Draft 23, which is not supported by most browser vendors. However, Microsoft Edge for Android does support TLSv1.3, as shown below:
Microsoft Edge (Android)
Conclusion
Enabling TLSv1.3 support on our server has been a long and challenging process. However, with the recent introduction of TLSv1.3 support by CDN providers, we’re now able to officially enable TLSv1.3 on our server. We hope this article has been helpful in guiding you through the process of upgrading to TLSv1.3 on your LNMP server.