TLS 1.3 represents the most significant upgrade to the TLS protocol since TLS 1.2 was released in 2008. Finalized in August 2018 (RFC 8446), TLS 1.3 delivers faster connections, stronger security, and simplified configuration. This guide explains the key differences and shows you how to deploy TLS 1.3 on your servers.
TLS Version Timeline
┌─────────────────────────────────────────────────────────────────────────────┐
│ TLS/SSL Protocol Timeline │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 1995 1996 1999 2006 2008 2018 2021 │
│ │ │ │ │ │ │ │ │
│ ▼ ▼ ▼ ▼ ▼ ▼ ▼ │
│ SSL SSL TLS TLS TLS TLS TLS 1.0 │
│ 2.0 3.0 1.0 1.1 1.2 1.3 & 1.1 │
│ DEPRECATED │
│ │ │ │ │ │ │ │
│ └───────┴───────┴───────┴───────┘ │ │
│ DEPRECATED (Don't use) │ │
│ │ │
│ ┌──────────────────┴──────────────────┐ │
│ │ CURRENTLY RECOMMENDED │ │
│ │ TLS 1.2 + TLS 1.3 │ │
│ └─────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Key Differences: TLS 1.3 vs TLS 1.2
Handshake Performance
The TLS handshake establishes the encrypted connection before data can be transmitted. TLS 1.3 dramatically reduces this overhead.
┌─────────────────────────────────────────────────────────────────────────────┐
│ TLS 1.2 vs TLS 1.3 Handshake │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ TLS 1.2 (2 Round Trips) TLS 1.3 (1 Round Trip) │
│ ────────────────────────── ────────────────────── │
│ │
│ Client Server Client Server │
│ │ │ │ │ │
│ │──ClientHello─▶│ │──ClientHello─▶│ │
│ │ │ │ +KeyShare │ │
│ │◀─ServerHello──│ │ │ │
│ │ Certificate │ │◀─ServerHello──│ │
│ │ KeyExchange │ │ +KeyShare │ │
│ │ Done │ │ Certificate │ │
│ │ │ │ Finished │ │
│ │──KeyExchange─▶│ │ │ │
│ │ ChangeCipher │ │──Finished────▶│ │
│ │ Finished │ │ │ │
│ │ │ │◀═════════════▶│ │
│ │◀─ChangeCipher─│ │ ENCRYPTED │ │
│ │ Finished │ │ │ │
│ │ │ │
│ │◀═════════════▶│ │
│ │ ENCRYPTED │ │
│ │ │ │
│ │
│ Total: 2 RTT + data Total: 1 RTT + data │
│ (200-400ms on mobile) (100-200ms on mobile) │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Performance Impact:
- 100ms network latency: TLS 1.3 saves 100ms per new connection
- High-latency mobile: TLS 1.3 saves 200-400ms per connection
- 0-RTT resumption: Returning visitors send data immediately (0ms overhead)
Cipher Suite Comparison
TLS 1.3 dramatically simplifies cipher configuration by removing weak options entirely.
| Feature | TLS 1.2 | TLS 1.3 |
|---|---|---|
| Total Cipher Suites | 37+ (many weak) | 5 (all secure) |
| Key Exchange | RSA, DHE, ECDHE | ECDHE only (mandatory PFS) |
| Encryption | AES-CBC, AES-GCM, RC4, 3DES | AES-GCM, ChaCha20-Poly1305 only |
| MAC | HMAC-SHA1, HMAC-SHA256 | AEAD (built into cipher) |
| Hash | SHA-1, SHA-256, SHA-384 | SHA-256, SHA-384 only |
TLS 1.3 Cipher Suites (Complete List):
TLS_AES_256_GCM_SHA384 (Recommended - strongest)
TLS_CHACHA20_POLY1305_SHA256 (Recommended - fast on mobile)
TLS_AES_128_GCM_SHA256 (Good - balance of speed/security)
TLS_AES_128_CCM_SHA256 (IoT devices)
TLS_AES_128_CCM_8_SHA256 (Constrained IoT)
Security Improvements
TLS 1.3 removes known vulnerabilities present in TLS 1.2:
| Vulnerability | TLS 1.2 | TLS 1.3 |
|---|---|---|
| BEAST | Vulnerable (CBC) | Not applicable (no CBC) |
| POODLE | Mitigated (disable SSLv3) | Not applicable |
| ROBOT | Vulnerable (RSA) | Not applicable (no RSA key exchange) |
| Lucky13 | Vulnerable (CBC) | Not applicable (no CBC) |
| FREAK | Vulnerable (export ciphers) | Not applicable (removed) |
| Logjam | Vulnerable (weak DHE) | Not applicable (strong ECDHE only) |
| Forward Secrecy | Optional (must configure) | Mandatory (always on) |
Encrypted Handshake
TLS 1.3 encrypts more of the handshake, protecting metadata:
┌─────────────────────────────────────────────────────────────────────────────┐
│ Handshake Encryption Comparison │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ TLS 1.2 - Mostly Plaintext TLS 1.3 - Mostly Encrypted │
│ ─────────────────────────── ───────────────────────── │
│ │
│ ┌──────────────────────────┐ ┌──────────────────────────┐ │
│ │ ClientHello (plaintext) │ │ ClientHello (plaintext) │ │
│ │ - Supported ciphers │ │ - Supported ciphers │ │
│ │ - SNI (server name) │ │ - SNI (server name) │ │
│ │ - Extensions │ │ - Key share │ │
│ └──────────────────────────┘ └──────────────────────────┘ │
│ │
│ ┌──────────────────────────┐ ┌──────────────────────────┐ │
│ │ ServerHello (plaintext) │ │ ServerHello (plaintext) │ │
│ │ - Selected cipher │ │ - Key share only │ │
│ │ - Certificate (visible!) │ └──────────────────────────┘ │
│ │ - Key exchange params │ │
│ └──────────────────────────┘ ┌──────────────────────────┐ │
│ │ ████ ENCRYPTED ████ │ │
│ ┌──────────────────────────┐ │ - Certificate │ │
│ │ Finished (encrypted) │ │ - Extensions │ │
│ └──────────────────────────┘ │ - Finished │ │
│ └──────────────────────────┘ │
│ │
│ Attackers can see: Attackers can see: │
│ - Which certificate used - Server IP │
│ - Server's supported features - SNI (domain name)* │
│ - Certificate chain - That TLS 1.3 is used │
│ │
│ * ECH (Encrypted Client Hello) hides SNI in TLS 1.3 │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Configuring TLS 1.3
Nginx Configuration
# /etc/nginx/conf.d/ssl.conf
server {
listen 443 ssl http2;
server_name example.com;
# Certificate files
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Enable TLS 1.2 and TLS 1.3 (disable older versions)
ssl_protocols TLSv1.2 TLSv1.3;
# TLS 1.3 cipher suites (automatically negotiated)
# TLS 1.2 cipher suites (manual configuration)
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
# Let client choose cipher (TLS 1.3 ciphers are all secure)
ssl_prefer_server_ciphers off;
# ECDH curve for key exchange
ssl_ecdh_curve X25519:secp384r1:secp256r1;
# Session settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off; # Disable for forward secrecy
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
}
Apache Configuration
# /etc/apache2/sites-available/example-ssl.conf
<VirtualHost *:443>
ServerName example.com
# Certificate files
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
# Enable TLS 1.2 and TLS 1.3
SSLProtocol -all +TLSv1.2 +TLSv1.3
# Cipher suites
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
# Honor server cipher order for TLS 1.2
SSLHonorCipherOrder on
# OCSP Stapling
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Security headers
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</VirtualHost>
Testing Your Configuration
# Test TLS 1.3 support
openssl s_client -connect example.com:443 -tls1_3
# Test TLS 1.2 support
openssl s_client -connect example.com:443 -tls1_2
# View negotiated cipher
openssl s_client -connect example.com:443 2>/dev/null | grep -E "(Protocol|Cipher)"
# Comprehensive test with SSL Labs
# Visit: https://www.ssllabs.com/ssltest/analyze.html?d=example.com
# Test with curl
curl -v --tlsv1.3 https://example.com 2>&1 | grep "SSL connection"
Expected Results:
# TLS 1.3 connection
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
# SSL Labs Grade
Overall Rating: A+ (with HSTS preload)
Protocol Support: TLS 1.2, TLS 1.3
0-RTT Resumption: Speed vs Security
TLS 1.3 introduces 0-RTT (Zero Round Trip Time) for session resumption, but it comes with security trade-offs.
How 0-RTT Works
┌─────────────────────────────────────────────────────────────────────────────┐
│ 0-RTT Session Resumption │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ First Connection (1-RTT) Resumed Connection (0-RTT) │
│ ───────────────────────── ────────────────────────── │
│ │
│ Client Server Client Server │
│ │ │ │ │ │
│ │──ClientHello─▶│ │──ClientHello─▶│ │
│ │ │ │ +Early Data │ ◀── Encrypted │
│ │◀──────────────│ │ (0-RTT) │ request │
│ │ │ │ │ sent │
│ │──Finished────▶│ │◀─ServerHello──│ immediately │
│ │ │ │ │ │
│ │◀═════════════▶│ │◀═════════════▶│ │
│ │ Encrypted │ │ Encrypted │ │
│ │ + PSK saved │ │ │ │
│ │
│ PSK (Pre-Shared Key) stored PSK used for 0-RTT encryption │
│ for future resumption │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
0-RTT Security Considerations
Replay Attack Risk:
Attacker intercepts 0-RTT data:
┌──────────────────────────────────────────────────────────────────────────┐
│ Client ──── [0-RTT: POST /transfer?amount=1000] ────▶ Server │
│ │ │
│ Attacker copies │
│ │ │
│ └──▶ Server (replayed request) │
│ └──▶ Server (replayed again) │
│ └──▶ Server (replayed again) │
│ │
│ Result: Multiple transfers if server doesn't detect replays │
└──────────────────────────────────────────────────────────────────────────┘
Safe 0-RTT Use:
- GET requests (idempotent)
- Static content requests
- Read-only API calls
Unsafe for 0-RTT:
- POST/PUT/DELETE requests
- Financial transactions
- State-changing operations
Configuring 0-RTT
# Nginx - Enable 0-RTT (use with caution)
ssl_early_data on;
# Proxy the early data header to backend
proxy_set_header Early-Data $ssl_early_data;
# Backend application - reject sensitive operations in 0-RTT
def process_request(request):
if request.headers.get('Early-Data') == '1':
if request.method in ['POST', 'PUT', 'DELETE']:
return Response('Retry without 0-RTT', status=425) # Too Early
# Process normally
Migration Strategy
Phase 1: Enable TLS 1.3 (Keep TLS 1.2)
# Safe starting configuration
ssl_protocols TLSv1.2 TLSv1.3;
This allows TLS 1.3-capable clients to use it while maintaining compatibility.
Phase 2: Monitor TLS Version Distribution
# Nginx log format with TLS version
log_format ssl '$remote_addr - $ssl_protocol $ssl_cipher "$request"';
# Analyze distribution
awk '{print $3}' /var/log/nginx/ssl.log | sort | uniq -c | sort -rn
# 85234 TLSv1.3
# 12456 TLSv1.2
# 234 TLSv1.1 <- Should be 0
Phase 3: Disable TLS 1.0/1.1 (If Not Already)
# Remove TLS 1.0 and 1.1
ssl_protocols TLSv1.2 TLSv1.3;
Phase 4: Consider TLS 1.3 Only (Internal Systems)
For internal systems with controlled clients:
# TLS 1.3 only (internal systems)
ssl_protocols TLSv1.3;
Troubleshooting
Common Issues
"SSL routines:ssl3_read_bytes:tlsv1 alert protocol version"
- Client doesn't support TLS 1.3
- Solution: Ensure TLS 1.2 is also enabled
"no shared cipher"
- Cipher mismatch between client and server
- Solution: Include TLS 1.2 ciphers for backward compatibility
"handshake failure"
- OpenSSL version doesn't support TLS 1.3
- Solution: Upgrade OpenSSL to 1.1.1+
Version Requirements
| Software | Minimum Version for TLS 1.3 |
|---|---|
| OpenSSL | 1.1.1 (September 2018) |
| Nginx | 1.13.0 (with OpenSSL 1.1.1) |
| Apache | 2.4.36 (with OpenSSL 1.1.1) |
| Java | 11 (September 2018) |
| .NET | Core 3.0 / Framework 4.8 |
| Node.js | 12.0 (with OpenSSL 1.1.1) |
| Python | 3.7 (with OpenSSL 1.1.1) |
Conclusion
TLS 1.3 provides meaningful security and performance improvements over TLS 1.2:
- 50% faster handshakes (1-RTT vs 2-RTT)
- Mandatory forward secrecy (no RSA key exchange)
- Removed weak algorithms (no CBC, RC4, 3DES, SHA-1)
- Encrypted certificates (metadata protection)
- Simpler configuration (only 5 cipher suites)
Recommendations:
- Enable TLS 1.3 alongside TLS 1.2 today
- Disable TLS 1.0 and 1.1 immediately
- Use TLS 1.3-only for internal systems when possible
- Enable 0-RTT cautiously (idempotent requests only)
- Test with SSL Labs for A+ rating
For more on certificate management, see our TLS Certificate Complete Guide and Let's Encrypt Complete Guide.