How to Enable TLS 1.3 in Apache and Nginx on Ubuntu and CentOS

How to Enable TLS 1.3 in Apache and Nginx on Ubuntu and CentOS

It’s crucial for webmasters and server administrators to stay updated with the latest protocols and technologies. One such technology is Transport Layer Security (in short – TLS) 1.3, the most recent version of the protocol that ensures secure communication over a computer network.

TLS 1.3 offers several improvements over its predecessor, TLS 1.2, including enhanced security and faster connection times. However, enabling it requires careful configuration of your web server. Whether you’re using Apache or Nginx, this guide will walk you through the process of enabling TLS 1.3 in Apache and Nginx on two popular Linux distributions (Ubuntu and CentOS) step by step.

Before we dive into the tutorial, it’s important to note that this guide assumes you have a basic understanding of Linux command line interface and you’re familiar with web server administration. You should also have already installed Apache or Nginx on your Ubuntu or CentOS server. If you’re still in the process of choosing a web server, you can refer to our guide on the best web servers.

Remember, the type of hosting you choose can also impact your server’s performance. Whether it’s dedicated server, VPS server, cloud hosting, or shared hosting, each has its own advantages and considerations.

Now, let’s get started with enabling TLS 1.3 on your Apache or Nginx server.

Enabling TLS 1.3 in Apache on Ubuntu

Before we start, it’s important to ensure that your server’s software is up to date. TLS 1.3 support was added in Apache 2.4.36, and OpenSSL 1.1.1, so you’ll need to be running these versions or later.

Step 1: Update Your System

First, log in to your Ubuntu server and update the system packages. You can do this by running the following commands:

sudo apt-get update
sudo apt-get upgrade

Step 2: Check Apache and OpenSSL Version

Next, check your Apache and OpenSSL versions to ensure they support TLS 1.3. Run the following commands:

apachectl -v
openssl version

If your Apache version is earlier than 2.4.36 or your OpenSSL version is earlier than 1.1.1, you’ll need to update them.

Step 3: Update Apache and OpenSSL (if necessary)

If you need to update Apache, run:

sudo apt-get install apache2

To update OpenSSL, run:

sudo apt-get install openssl

Step 4: Configure Apache to Use TLS 1.3

Once you’ve confirmed that your Apache and OpenSSL versions support TLS 1.3, you’ll need to configure Apache to use it. Open the Apache configuration file in a text editor. The location of this file may vary depending on your setup, but it’s typically located at /etc/apache2/apache2.conf. You can open it with the nano text editor like so:

sudo nano /etc/apache2/apache2.conf

In the configuration file, find the section that begins with <VirtualHost *:443>. In this section, add or modify the SSLProtocol line to include TLSv1.3:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3

This line tells Apache to use all protocols except for SSLv2, SSLv3, TLSv1, and TLSv1.1, and to specifically use TLSv1.2 and TLSv1.3.

Save and close the file when you’re done.

Step 5: Restart Apache

Finally, you’ll need to restart Apache for your changes to take effect. You can do this with the following command:

sudo systemctl restart apache2

Congratulations! You’ve successfully enabled TLS 1.3 in Apache on Ubuntu.

See also  How to Uninstall Dovecot on Ubuntu

Enabling TLS 1.3 in Apache on CentOS

The process of enabling TLS 1.3 in Apache on CentOS is similar to Ubuntu, but with a few differences due to the different package management systems and default configurations.

Step 1: Update Your System

As with Ubuntu, the first step is to update your system packages. On CentOS, you can do this with the following commands:

sudo yum update
sudo yum upgrade

Step 2: Check Apache and OpenSSL Version

Next, check your Apache and OpenSSL versions to ensure they support TLS 1.3. Run the following commands:

httpd -v
openssl version

If your Apache version is earlier than 2.4.36 or your OpenSSL version is earlier than 1.1.1, you’ll need to update them.

Step 3: Update Apache and OpenSSL (if necessary)

If you need to update Apache, run:

sudo yum install httpd

To update OpenSSL, run:

sudo yum install openssl

Step 4: Configure Apache to Use TLS 1.3

Once you’ve confirmed that your Apache and OpenSSL versions support TLS 1.3, you’ll need to configure Apache to use it. Open the Apache configuration file in a text editor. The location of this file may vary depending on your setup, but it’s typically located at /etc/httpd/conf/httpd.conf. You can open it with the nano text editor like so:

sudo nano /etc/httpd/conf/httpd.conf

In the configuration file, find the section that begins with <VirtualHost *:443>. In this section, add or modify the SSLProtocol line to include TLSv1.3:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3

This line tells Apache to use all protocols except for SSLv2, SSLv3, TLSv1, and TLSv1.1, and to specifically use TLSv1.2 and TLSv1.3.

Save and close the file when you’re done.

Step 5: Restart Apache

Finally, you’ll need to restart Apache for your changes to take effect. You can do this with the following command:

sudo systemctl restart httpd

Congratulations! You’ve successfully enabled TLS 1.3 in Apache on CentOS.

Enabling TLS 1.3 in Nginx on Ubuntu

Now that we’ve covered Apache, let’s move on to enabling TLS 1.3 in Nginx. We’ll start with Ubuntu.

Step 1: Update Your System

As always, start by updating your system packages. On Ubuntu, you can do this with the following commands:

sudo apt-get update
sudo apt-get upgrade

Step 2: Check Nginx and OpenSSL Version

Next, check your Nginx and OpenSSL versions to ensure they support TLS 1.3. Run the following commands:

nginx -v
openssl version

If your Nginx version is earlier than 1.13.0 or your OpenSSL version is earlier than 1.1.1, you’ll need to update them.

Step 3: Update Nginx and OpenSSL (if necessary)

If you need to update Nginx, run:

sudo apt-get install nginx

To update OpenSSL, run:

sudo apt-get install openssl

Step 4: Configure Nginx to Use TLS 1.3

Once you’ve confirmed that your Nginx and OpenSSL versions support TLS 1.3, you’ll need to configure Nginx to use it. Open the Nginx configuration file in a text editor. The location of this file may vary depending on your setup, but it’s typically located at /etc/nginx/nginx.conf. You can open it with the nano text editor like so:

sudo nano /etc/nginx/nginx.conf

In the configuration file, find the section that begins with server { and includes listen 443 ssl;. In this section, add or modify the ssl_protocols line to include TLSv1.3:

ssl_protocols TLSv1.2 TLSv1.3;

This line tells Nginx to use TLSv1.2 and TLSv1.3.

See also  How to Install Zimbra Patch on CentOS 7

Save and close the file when you’re done.

Step 5: Restart Nginx

Finally, you’ll need to restart Nginx for your changes to take effect. You can do this with the following command:

sudo systemctl restart nginx

Congratulations! You’ve successfully enabled TLS 1.3 in Nginx on Ubuntu.

Enabling TLS 1.3 in Nginx on CentOS

Finally, let’s cover how to enable TLS 1.3 in Nginx on CentOS.

Step 1: Update Your System

Start by updating your system packages. On CentOS, you can do this with the following commands:

sudo yum update
sudo yum upgrade

Step 2: Check Nginx and OpenSSL Version

Next, check your Nginx and OpenSSL versions to ensure they support TLS 1.3. Run the following commands:

nginx -v
openssl version

If your Nginx version is earlier than 1.13.0 or your OpenSSL version is earlier than 1.1.1, you’ll need to update them.

Step 3: Update Nginx and OpenSSL (if necessary)

If you need to update Nginx, run:

sudo yum install nginx

To update OpenSSL, run:

sudo yum install openssl

Step 4: Configure Nginx to Use TLS 1.3

Once you’ve confirmed that your Nginx and OpenSSL versions support TLS 1.3, you’ll need to configure Nginx to use it. Open the Nginx configuration file in a text editor. The location of this file may vary depending on your setup, but it’s typically located at /etc/nginx/nginx.conf. You can open it with the nano text editor like so:

sudo nano /etc/nginx/nginx.conf

In the configuration file, find the section that begins with server { and includes listen 443 ssl;. In this section, add or modify the ssl_protocols line to include TLSv1.3:

ssl_protocols TLSv1.2 TLSv1.3;

This line tells Nginx to use TLSv1.2 and TLSv1.3.

Save and close the file when you’re done.

Step 5: Restart Nginx

Finally, you’ll need to restart Nginx for your changes to take effect. You can do this with the following command:

sudo systemctl restart nginx

Congratulations! You’ve successfully enabled TLS 1.3 in Nginx on CentOS.

Commands Mentioned

Throughout this tutorial, we’ve used several commands to update system packages, check and update Apache, Nginx, and OpenSSL versions, and configure and restart the web servers. Here’s a brief description of each command:

  • sudo apt-get update – Updates the list of available packages and their versions, but it does not install or upgrade any packages.
  • sudo apt-get upgrade – Installs newer versions of the packages you have. After updating the lists, the package manager knows about available updates for the software you have installed.
  • apachectl -v – Checks the version of Apache.
  • openssl version – Checks the version of OpenSSL.
  • sudo apt-get install apache2 – Installs or updates Apache on Ubuntu.
  • sudo apt-get install openssl – Installs or updates OpenSSL on Ubuntu.
  • sudo systemctl restart apache2 – Restarts Apache on Ubuntu.
  • sudo yum update – Updates the list of available packages and their versions on CentOS.
  • sudo yum upgrade – Installs newer versions of the packages you have on CentOS.
  • httpd -v – Checks the version of Apache on CentOS.
  • sudo yum install httpd – Installs or updates Apache on CentOS.
  • sudo systemctl restart httpd – Restarts Apache on CentOS.
  • nginx -v – Checks the version of Nginx.
  • sudo apt-get install nginx – Installs or updates Nginx on Ubuntu.
  • sudo systemctl restart nginx – Restarts Nginx on Ubuntu.
  • sudo yum install nginx – Installs or updates Nginx on CentOS.
See also  How to Install Bind DNS Server on CentOS and RHEL

FAQs

  1. What is TLS 1.3 and why is it important?

    TLS 1.3 is the latest version of the Transport Layer Security (TLS) protocol, which provides secure communication over a computer network. It offers several improvements over its predecessor, including enhanced security and faster connection times. Enabling TLS 1.3 on your web server can help protect against certain types of attacks and improve your website’s performance.

  2. How can I check if TLS 1.3 is enabled on my server?

    You can use an online TLS checker, such as the one provided by SSL Labs, to check if TLS 1.3 is enabled on your server. Simply enter your website’s URL and the tool will provide a detailed report on your server’s SSL/TLS configuration, including the supported versions of the protocol.

  3. What versions of Apache and Nginx support TLS 1.3?

    TLS 1.3 support was added in Apache 2.4.36 and Nginx 1.13.0. You’ll need to be running these versions or later to enable TLS 1.3. Additionally, you’ll need to be running OpenSSL 1.1.1 or later, as this is the version of OpenSSL that added support for TLS 1.3.

  4. I’ve followed the steps, but TLS 1.3 still isn’t working. What should I do?

    First, double-check that you’ve followed all the steps correctly and that you’re running the necessary versions of Apache/Nginx and OpenSSL. If everything seems correct, the issue may be with your server’s firewall or with your hosting provider. Contact your hosting provider’s support for assistance.

  5. Can enabling TLS 1.3 improve my website’s SEO?

    Yes, enabling TLS 1.3 can potentially improve your website’s SEO. Google has indicated that HTTPS (which is enabled by TLS) is a ranking signal. Furthermore, because TLS 1.3 can make your website load faster, it can help improve user experience and reduce bounce rates, which can also positively impact your SEO.

Conclusion

In this comprehensive tutorial, we’ve walked through the process of enabling TLS 1.3 in both Apache and Nginx on Ubuntu and CentOS. By following these steps, you can ensure that your web server is using the latest and most secure version of the TLS protocol, thereby enhancing the security and performance of your website.

Remember, maintaining a secure and efficient web server requires ongoing effort. It’s important to regularly update your server’s software and to stay informed about the latest security protocols and technologies. Whether you’re using Apache, Nginx, or another web server, and whether your server is hosted on a dedicated server, VPS server, cloud hosting, or shared hosting platform, keeping your server’s software up to date is one of the most effective things you can do to protect against security threats.

We hope you found this guide helpful. If you have any further questions, don’t hesitate to reach out.

Happy hosting!

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *