How to Enable TLS 1.3 in Nginx on FreeBSD 12
TLS 1.3 is a version of the Transport Layer Security (TLS) protocol that was published in 2018 as a proposed standard in RFC 8446. It offers security and performance improvements over its predecessors.
This guide will demonstrate how to enable TLS 1.3 using the Nginx web server on FreeBSD 12.
Requirements
- Vultr Cloud Compute (VC2) instance running FreeBSD 12.
- A valid domain name and properly configured
A
/AAAA
/CNAME
DNS records for your domain. - A valid TLS certificate. We will get one from Let's Encrypt.
- Nginx version
1.13.0
or greater. - OpenSSL version
1.1.1
or greater.
Before you begin
Check the FreeBSD version.
uname -ro
# FreeBSD 12.0-RELEASE
Ensure that your FreeBSD system is up to date.
freebsd-update fetch install
pkg update && pkg upgrade -y
Install necessary packages if they are not present on your system.
pkg install -y sudo vim unzip wget bash socat git
Create a new user account with your preferred username (we will use johndoe
).
adduser
# Username: johndoe
# Full name: John Doe
# Uid (Leave empty for default): <Enter>
# Login group [johndoe]: <Enter>
# Login group is johndoe. Invite johndoe into other groups? []: wheel
# Login class [default]: <Enter>
# Shell (sh csh tcsh nologin) [sh]: bash
# Home directory [/home/johndoe]: <Enter>
# Home directory permissions (Leave empty for default): <Enter>
# Use password-based authentication? [yes]: <Enter>
# Use an empty password? (yes/no) [no]: <Enter>
# Use a random password? (yes/no) [no]: <Enter>
# Enter password: your_secure_password
# Enter password again: your_secure_password
# Lock out the account after creation? [no]: <Enter>
# OK? (yes/no): yes
# Add another user? (yes/no): no
# Goodbye!
Run the visudo
command and uncomment the %wheel ALL=(ALL) ALL
line, to allow members of the wheel
group to execute any command.
visudo
# Uncomment by removing hash (#) sign
# %wheel ALL=(ALL) ALL
Now, switch to your newly created user with su
.
su - johndoe
NOTE: Replace johndoe
with your username.
Set up the timezone.
sudo tzsetup
Install the acme.sh client and obtain TLS certificate from Let's Encrypt
Install acme.sh
.
sudo pkg install -y acme.sh
Check the version.
acme.sh --version
# v2.7.9
Obtain RSA and ECDSA certificates for your domain.
# RSA
sudo acme.sh --issue --standalone -d example.com --ocsp-must-staple --keylength 2048
# ECC/ECDSA
sudo acme.sh --issue --standalone -d example.com --ocsp-must-staple --keylength ec-256
NOTE: Replace example.com
in the commands with your domain name.
Create directories to store your certs and keys. We will use /etc/letsencrypt
.
sudo mkdir -p /etc/letsencrypt/example.com
sudo mkdir -p /etc/letsencrypt/example.com_ecc
Install and copy certificates to /etc/letsencrypt
directory.
# RSA
sudo acme.sh --install-cert -d example.com --cert-file /etc/letsencrypt/example.com/cert.pem --key-file /etc/letsencrypt/example.com/private.key --fullchain-file /etc/letsencrypt/example.com/fullchain.pem
# ECC/ECDSA
sudo acme.sh --install-cert -d example.com --ecc --cert-file /etc/letsencrypt/example.com_ecc/cert.pem --key-file /etc/letsencrypt/example.com_ecc/private.key --fullchain-file /etc/letsencrypt/example.com_ecc/fullchain.pem
After running the above commands, your certificates and keys will be in the following locations:
RSA
:/etc/letsencrypt/example.com
ECC/ECDSA
:/etc/letsencrypt/example.com_ecc
Install Nginx
Nginx added support for TLS 1.3 in version 1.13.0. FreeBSD 12 system comes with Nginx and OpenSSL that support TLS 1.3 out of the box, so there is no need to build a custom version.
Download and install the latest mainline version of Nginx via the pkg
package manager.
sudo pkg install -y nginx-devel
Check the version.
nginx -v
# nginx version: nginx/1.15.8
Check the OpenSSL version against which Nginx was compiled.
nginx -V
# built with OpenSSL 1.1.1a-freebsd 20 Nov 2018
Start and enable Nginx.
sudo sysrc nginx_enable=yes
sudo service nginx start
Configure Nginx
Now that we have successfully installed Nginx, we are ready to configure it with the proper configuration to start using TLS 1.3 on our server.
Run the sudo vim /usr/local/etc/nginx/example.com.conf
command, and populate the file with the following configuration.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/example.com/private.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
}
Save the file and exit with Colon+W+Q.
Now we need to include example.com.conf
in the main nginx.conf
file.
Run sudo vim /usr/local/etc/nginx/nginx.conf
and add the following line to the http {}
block.
include example.com.conf;
Notice the new TLSv1.3
parameter of the ssl_protocols
directive. This parameter is only necessary to enable TLS 1.3 on the Nginx server.
Check the configuration.
sudo nginx -t
Reload Nginx.
sudo service nginx reload
To verify TLS 1.3, you can use browser dev tools or SSL Labs service. The screenshots below show Chrome's security tab.
You have successfully enabled TLS 1.3 in Nginx on your FreeBSD server. The final version of TLS 1.3 was defined in August 2018, so there’s no better time to start adopting this new technology.