Goodbye 100%, Hello TLS1.3

PUBLISHED ON MAR 9, 2020 — 100 words — NGINX , SECURITY , TLS

I decided to trade my perfect 100% SSL Labs score with activating TLS1.3 on my website. Not that any of this matter, since this is a static blog. The good news is that AES256 is privileged over AES128 in the cipher suite order.

TLS_AES_256_GCM_SHA384 (0x1302)   ECDH secp384r1 (eq. 7680 bits RSA)
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   ECDH secp384r1 (eq. 7680 bits RSA)
TLS_AES_128_GCM_SHA256 (0x1301)   ECDH secp384r1 (eq. 7680 bits RSA)

Activating TLSv1.3 on Nginx is trivial and done by adding TLSv1.3 in front on TLSv1.2 for the ssl_protocols directive.

  ssl_protocols TLSv1.3 TLSv1.2;

And don’t fortget to service nginx restart your server.