TLSv1.3 With nginx

By on

I’ve already deployed TLSv1.3 on this server. Now you can verify that in the Security tab.

Notice

Notice that TLSv1.3 supports are not enabled by default on most browsers. Like Google Chrome, you may need to turn it on manually at chrome://flags/#tls13-variant

Clone the openssl with tls1.3-draft-18 branch:

$ git clone -b tls1.3-draft-18 --single-branch https://github.com/openssl/openssl.git openssl

Then just compile nginx with openssl library:

$ wget -c https://nginx.org/download/nginx-1.13.4.tar.gz
$ tar zxf nginx-1.13.4.tar.gz

$ cd nginx-1.13.4/

$ ./configure --with-openssl=PATH_TO_CLONED_OPENSSL --with-openssl-opt='enable-tls1_3' --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module

$ make
$ sudo make install

If you’d like to use systemctl to manage your nginx tasks, you may need to have this file placed in /usr/lib/systemd/system/nginx.service :

# Stop dance for nginx
# =======================
#
# ExecStop sends SIGSTOP (graceful stop) to the nginx process.
# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
#
# nginx signals reference doc:
# https://nginx.org/en/docs/control.html
#
[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=network.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed

[Install]
WantedBy=multi-user.target

Then you have to enable TLSv1.3 in the nginx.conf , whose ciphers and protocols need to be updated:

ssl_protocols              TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers                TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;

References

本博客开始支持 TLS 1.3 | JerryQu 的小站
ajhaydock/BoringNginx: Script + Dockerfile to build Nginx with Google’s BoringSSL.