Background Reading: Understanding Different Types of Problems in Crypto.

TLS 1.3 Configuration

Last Updated Sun, 15 Apr 2018 2:02:01 -0400

What to expect:

Concept: TLSv1.3 is new. As discussed on the landing page , vulnerable security measures have been removed from the protocol. There are no known vulnerabilities that exists with the current version. We however recommend that you go through the following page in order to understand why and when to upgrade?

Examples for Enabling TLSv1.3:

We have categorized the examples into three sections:- Webservers and Browsers.

    Webservers:

    TLS 1.3 is supported starting from Nginx 1.13 version. If you are running older version then first you got to upgrade.

    Nginx:
    • Login to Nginx server
    • Take a backup of nginx.conf file
    • Modify nginx.conf using vi or your favorite editor

    The default configuration under SSL settings should look like this:
    ...
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ...
    


    Add TLSv1.3 at the end of the line, and so it looks like below:
    ...
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ...
    
    Similar to the Apache config above, you will get TLSv1.0+ support and no SSL. You can check the config and restart.
    
    $sudo nginx -t
    $sudo service nginx restart
    
    
    Browsers:

    • Firefox Nightly
      • Install and run Firefox nightly: https://nightly.mozilla.org/
      • Enter "about:config" in the address bar
      • Set security.tls.version.max from 3 to 4
      • Restart the browser

    • Chrome Canary
      • Install and run Chrome Canary: https://www.google.com/chrome/browser/canary.html
      • Enter "chrome://flags/" in the address bar
      • Go to "Maximum TLS version enabled." and select "TLS 1.3"
      • Restart the browser


    • In order to test if a domain is TLSv1.3 compatible: https://www.ssllabs.com/ssltest/

      Upgrade/Patch Management

      Concept: TLSv1.3 is a relatively new protocol. A lot of products are still in the process of supporting it. The only major decision at this point of time would be to use TLSv1.3 or not rather than what are the upgrades to TLSv1.3. But, since the protocol is still in draft, expect changes and therefore expect upgrades/patches. As always, we recommend that you read through the product specific advisories before taking any decision.

      Note: Keep an eye out for this section as it will be kept up-to-date with any major patches that are released.

      Some examples of advisories that you can find:
      https://forum.nginx.org/read.php?27,273840,273840#msg-273840
      https://community.akamai.com/community/web-performance/blog/2017/10/25/get-ready-for-tls-13