This guide will show you how to enable the latest Transport Layer Security (TLS) 1.3 protocol with it’s predecessor Secure Sockets Layer (SSL) with NGINX and OpenSSL for better website security on an Ubuntu 16.04 server
I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. Making sure your server is up to date and running the latest SSL software is important. I have updated Open SSL before and blogged about this here. Do back up your server before changing settings and if you use Cloudflare (if you don’t do it now) enable Development Mode (and disable caching until changes are made).
For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).
TLS 1.3 is the latest SSL security protocol that can be used between clients and servers to encrypt connections on the web.
TLS 1.3 uptake is only 60% according to https://caniuse.com/#search=TLS%201.3
Read why TLS 1.3 is important and news on TLS 1.3 can be found here: https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/
The Good and Bad
Done be like this commercial site with very poor security (tested with SSL labs and asafaweb)
Here is what the top 1 million sites do
Here it is!! Alexa Top 1 Million Analysis – February 2018 https://t.co/TjBHNX7zTi
— Scott Helme (@Scott_Helme) February 26, 2018
Installing Open SSL on Ubuntu
Connect to your Ubuntu 16.04 server via SSH (I connected to my Vultr server)
Check what version of OpenSSL you have? My OpenSSL is out of date.
Tip: What Ciphers does your Open SSL Support?
Time to update Open SSL
OpenSSL 1.1.1 beta is available and supports TLS 1.3 but it is n BETA form. OpenSSL code is available here.
I did the following to download and build the latest version of OpenSSL.
I tried to check the open SSL version but had an error?
A quick GitHub ticket revealed I needed to set a path variable.
Open SSL now reports it’s version.
What version NGINX do you have (1.13 supports TLS 1.3) read here
Backup your NGINX
Do backup your server files and take a snapshot if need be. I am not responsible;e for a broken server,
Edit NGINX Configuration
Update NGINX configuration: /etc/nginx/sites-available/default
tip: Review other NGINX hardening settings here. Also remove TLSv1.0
I tested my NGINX config loaded them and restarted NGINX
Check the status of NGINX
If you have configured Cloudflare then log in and enable TLS support.
Enable TLS 1.3 in Chrome by visiting chrome://flags/#tls13-variant This should be automatic in later versions of Chrome and other browsers.
Verify TLS
I used the developer tools in Chrome to confirm the page was verified in TLS 1.3.
Updated to 1.1.1-pre6-dev
Don’t forget to test your SSL strength with https://dev.ssllabs.com/ssltest/
I hope this guide helps someone.
Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]
Revision History
v1.4 fixed typo
v1.3 added bad ssl cert.
v1.2 ssl test v1.1 updated to 1.1.1-pre6-dev
v1.0 Initial post