Docs / Security / How to Configure TLS 1.3 Only on Your Web Server

How to Configure TLS 1.3 Only on Your Web Server

By Admin · Mar 15, 2026 · Updated Apr 24, 2026 · 288 views · 2 min read

TLS 1.3 is the latest version of the Transport Layer Security protocol, offering faster handshakes, stronger encryption, and improved privacy. Configuring your web server to use TLS 1.3 exclusively eliminates vulnerabilities present in older protocol versions.

Why TLS 1.3 Only?

  • Removes vulnerable cipher suites from TLS 1.0/1.1/1.2
  • Faster handshakes (1-RTT, even 0-RTT for resumed connections)
  • Forward secrecy is mandatory (every session uses unique keys)
  • Simplified cipher suite negotiation

Nginx Configuration

# /etc/nginx/conf.d/ssl.conf
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;

# TLS 1.3 cipher suites (these are the only ones available)
# TLS_AES_256_GCM_SHA384
# TLS_CHACHA20_POLY1305_SHA256
# TLS_AES_128_GCM_SHA256

# HSTS header (force HTTPS)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# OCSP stapling for faster certificate verification
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;

# Session tickets for 0-RTT
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;  # Disable for forward secrecy

Apache Configuration

# /etc/apache2/conf-available/ssl-modern.conf
SSLProtocol -all +TLSv1.3
SSLHonorCipherOrder off
SSLSessionTickets off

Header always set Strict-Transport-Security "max-age=63072000"

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Testing Your Configuration

# Test with OpenSSL
openssl s_client -connect yourdomain.com:443 -tls1_3

# Test with curl
curl -v --tls13-ciphers TLS_AES_256_GCM_SHA384 https://yourdomain.com

# Online testing
# https://www.ssllabs.com/ssltest/
# Aim for an A+ rating

# Check supported protocols
nmap --script ssl-enum-ciphers -p 443 yourdomain.com

Compatibility Considerations

TLS 1.3 is supported by all modern browsers (Chrome 70+, Firefox 63+, Safari 12.1+, Edge 79+). However, some older clients may not support it:

  • Internet Explorer 11 — Does not support TLS 1.3
  • Java 8 — Requires update 261+ for TLS 1.3
  • Python requests — Requires Python 3.7+ with OpenSSL 1.1.1+

If you must support older clients, allow TLS 1.2 as well:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;

Was this article helpful?

Related Articles