In this tutorial we will use the latest security suite of OpenSSL version 1.1.1 which supports TLS 1.3. As a performance part the Lets Encrypt SSL. It should be lightweight. This results the website loading’s time will be less required. The AES-128 bit Cipher provides best in class and supports lightweight cryptography. Most important thing is we will use the AES-128 bit instead of AES-256 bit. by default the Nginx Web Server uses the AES-256 bit encryption. This tutorial will help you to enable the AES-128 bit Cipher so that you website and web application load faster than ever.
Introduction of TLS 1.3
Current web browsers and web servers commonly uses TLS 1.3. To secure data sent over the Internet. It is needed to be updated with more modern and latest cryptography practices. TLS 1.3 is a major overhaul of the TLS protocol with two primary benefits enhanced security and improved speed. Let’s take a look at each of those improvements in a bit more detail so enhance security less is safer.
Cryptography for TLS 1.3
TLS 1.3 removes support for outdated cryptography. Which improves the security. Makes it less likely a session can be broken because of an insecure cipher suite. Some other form of weak cryptography that was used the removal of the cryptography. The outdated cryptography includes such functionality such as static RSA and diffie-hellman key exchange. TLS 1.3 also removes unsafe features such as compression and renegotiate this is not a complete list you should see the RFC for more details.
Step-1 : Edit the NGINX Configuration file
On Ubuntu / Debian based distribution
vi /etc/nginx/sites-available/techbrown.com.conf
On RHEL /Alma Linux / Rocky Linux based Distribution
vi /etc/nginx/conf.d/techbrown.com.conf
Find the given lines inside server blocks
server {
listen 443 ssl;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
}
Replace it with the
server {
listen 443 ssl http2;
ssl_prefer_server_ciphers off;
ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AES128';
ssl_early_data on;
}
When done save and exit from the vi editor using :wq
Step-2 : Restart the Nginx Services
After changing the configuration file. We will required to restart the services so that changes are live.
systemctl restart nginx
Step-3 : The 128 bit cipher testing
Open your web browser and hit on green padlock before https://www.techbrown.com . After hitting that see the information.
Congratulations now you have successfully enabled the TLS 1.3 with the 128 bit cipher on your NGINX web server.