Adding TLS 1.3 and Removing Early TLS Versions
September 19, 2018
Recently, the TLS 1.3 specification was finalized and OpenSSL 1.1.1 was released with support for TLS 1.3. In the next week, we'll be updating Nginx on all servers to support TLS 1.3. At the same time, we'll be removing support for early TLS versions (1.0 and 1.1) that are now considered insecure or weak.
Adding TLS 1.3
TLS 1.3 is the latest version of the Transport Layer Security (TLS) protocol. TLS is the successor to the older SSL protocol. For many years now, when people say "SSL" they actually mean TLS.
But why do we need a new protocol version? Isn't TLS 1.2 secure?
Even though TLS 1.2 is still considered secure, there are improvements to be made to increase security, protect against unknown vulnerabilities, and to speed up the TLS protocol.
Simplicity. Complexity breeds bugs, and bugs mean security issues. A main focus for TLS 1.3 was to remove unnecessary complication from the protocol. These unnecessary protocol features have been the source of past security issues in TLS. Removed features include weak hashes and ciphers, compression, and renegotiation.
Downgrade protection. Earlier TLS versions have been susceptible to Man-in-the-Middle attackers tricking a client into choosing an older, less secure protocol version than both the browser and the server could actually support. Built into TLS 1.3 are protections against this happening.
Stronger crypto. TLS 1.3 adds new elliptic curve key agreement schemes.
Handshake encryption. In previous versions of TLS, the initial handshake between the client and server was not encrypted. With TLS 1.3, most of the initial handshake is encrypted.
The round trip time (RTT) between a browser and a server is largely based on the distance between them. There are physical limits to how fast data can travel over a given distance. Given those limits, decreasing the number of round trips is the best way to speed up the establishment of an encrypted connection.
With all TLS versions until now, it took two round trips of communication between a browser and a server to establish a TLS connection. With TLS 1.3, an encrypted connection can be established in one round trip. This makes a big difference for new visitors to your sites.
Removing TLS 1.0 and 1.1
The early TLS versions (1.0 and 1.1) have problems. TLS 1.0 is now considered insecure and TLS 1.1 has known weaknesses.
The number of outdated clients that don't yet support TLS 1.2 is small. For example, Internet Explorer 10 (which reached End of Life in January 2015) does not support TLS 1.2. Similarly, command line tools on extremely old Linux versions (before 2012, when OpenSSL 1.0.1 was released) do not support TLS 1.2.
Therefore, with it being time to remove TLS 1.0, we've decided to also remove support for TLS 1.1.
If your use case requires that you keep supporting these old TLS versions, please contact support.
Browser Support for TLS 1.3
The specification for TLS 1.3 was only finalized a few weeks ago and browser support is coming soon. Most browsers have been supporting draft versions of the TLS 1.3 spec for testing purposes, but each browser will need to release an update to support the final TLS 1.3 spec.
Chrome and Firefox plan to support TLS 1.3 in October (Chrome 70 and Firefox 63). Safari, Microsoft Edge, and other browsers should be soon to follow.
Until browsers add support for TLS 1.3, your website visitors will continue to use TLS 1.2. When their browsers add support for TLS 1.3, the only difference they'll notice is a faster page load when they initially visit your site.