Enabling TLS 1.3

By default, Nginx used by PrivX has been configured to use TLS 1.2, which works with various Nginx and OS versions.
To increase security and reduce latency, you can force web clients to use TLS 1.3.

Enabling TLS 1.3 requires Nginx, which has been built with OpenSSL 1.1.1 (or later) libraries.
RHEL 8 and Rocky Linux 8 operating systems do install compatible version by default.

  1. First, make sure your Nginx version supports TLS 1.3 by running:
$ nginx -V
nginx version: nginx/1.14.1
built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC) 
built with OpenSSL 1.1.1 FIPS  11 Sep 2018 (running with OpenSSL 1.1.1c FIPS  28 May 2019)
TLS SNI support enabled

$ openssl ciphers -v | awk '{print $2}' | sort | uniq
  1. If your Nginx version is new enough (OpenSSL 1.1.1 or later), you can enable TLS 1.3 by editing /etc/nginx/conf.d/privx.conf and changing all rows with
    ssl_protocols TLSv1.2;
    ssl_protocols TLSv1.3;
    ssl_protocols TLSv1.2 TLSv1.3;

After this, run "systemctl restart nginx"

By default, Nginx installed from CentOS 7 or RHEL 7 repositories use older OpenSSL version which is not compatible:

$ nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017

To enable TLS 1.3 support on CentOS or RHEL 7, you need to recompile the Nginx (version 1.13.0 or greater) with OpenSSL 1.1.1 libraries.

See https://dev.to/bidhanahdib/how-to-enable-tls-1-3-in-nginx-with-openssl-centos-7-4f4b

Please note that if you compile the Nginx yourself, you need to also take care of Nginx and OpenSSL security updates in the future.

Did this page help you?