Enabling TLS 1.3
By default, Nginx used by PrivX has been configured to use TLS 1.2, which works with various Nginx and OS versions.
To increase security and reduce latency, you can force web clients to use TLS 1.3.
Enabling TLS 1.3 requires Nginx, which has been built with OpenSSL 1.1.1 (or later) libraries.
RHEL 8 and Rocky Linux 8 operating systems do install compatible version by default.
- First, make sure your Nginx version supports TLS 1.3 by running:
$ nginx -V
nginx version: nginx/1.14.1
built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC)
built with OpenSSL 1.1.1 FIPS 11 Sep 2018 (running with OpenSSL 1.1.1c FIPS 28 May 2019)
TLS SNI support enabled
$ openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
TLSv1.3
- If your Nginx version is new enough (OpenSSL 1.1.1 or later), you can enable TLS 1.3 by editing /etc/nginx/conf.d/privx.conf and changing all rows with
ssl_protocols TLSv1.2;
to
ssl_protocols TLSv1.3;
or
ssl_protocols TLSv1.2 TLSv1.3;
After this, run "systemctl restart nginx"
By default, Nginx installed from CentOS 7 or RHEL 7 repositories use older OpenSSL version which is not compatible:
$ nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
To enable TLS 1.3 support on CentOS or RHEL 7, you need to recompile the Nginx (version 1.13.0 or greater) with OpenSSL 1.1.1 libraries.
See https://dev.to/bidhanahdib/how-to-enable-tls-1-3-in-nginx-with-openssl-centos-7-4f4b
Please note that if you compile the Nginx yourself, you need to also take care of Nginx and OpenSSL security updates in the future.