TLS 1.3, standardized in RFC 8446 in August 2018, is a substantial redesign of the TLS protocol — not an incremental update. It cuts the handshake from two round-trips to one, removes every weak algorithm from the negotiation menu, makes forward secrecy mandatory, and encrypts the certificate exchange that TLS 1.2 sent in plaintext. As of mid-2025, over 75% of the world's top websites support it, and roughly 90% of browsers negotiate TLS 1.3 whenever servers allow it.
This guide explains what changed, why it matters, and how to enable TLS 1.3 on Nginx, Apache, and IIS — including the specific directives, minimum version requirements, and how to verify the result without guessing.
Certificate unchanged — configuration changes
Your existing SSL certificate works with both TLS 1.2 and TLS 1.3. No certificate replacement is needed. Upgrading to TLS 1.3 is a web-server configuration change only.
What is TLS 1.3?
TLS (Transport Layer Security) is the cryptographic protocol that secures HTTPS connections. TLS 1.3 is its current version, replacing TLS 1.2 (2008) with a design that was informed by a decade of real-world attacks — BEAST, CRIME, POODLE, FREAK, Logjam — that exploited weaknesses in TLS 1.2's negotiation flexibility.
Where TLS 1.2 offered dozens of cipher suite combinations and multiple key-exchange modes, many of them insecure, TLS 1.3 takes the opposite approach: it defines a small, all-modern cipher suite list, removes every optional algorithm that contributed to historical attacks, and mandates the cryptographic properties that were previously optional.
One round-trip (1-RTT) instead of two (2-RTT). Connections open ~50% faster.
Static RSA key exchange is removed. Every session uses ephemeral Diffie-Hellman.
Certificates are encrypted during the handshake; TLS 1.2 sent them in plaintext.
The handshake: 2-RTT (TLS 1.2) vs 1-RTT (TLS 1.3)
The handshake is the negotiation phase before any application data flows. Each "round-trip" (RTT) is one exchange between client and server — a full network latency penalty. Reducing round-trips directly reduces page load times, particularly on high-latency connections like mobile networks.
TLS 1.2 handshake (2 round-trips)
- 1Client → Server: ClientHello (cipher suites, random, extensions)
- 2Server → Client: ServerHello, Certificate, ServerHelloDone
- 3Client → Server: ClientKeyExchange, ChangeCipherSpec, Finished
- 4Server → Client: ChangeCipherSpec, Finished
- 5Connection open — application data flows
TLS 1.3 handshake (1 round-trip)
- 1Client → Server: ClientHello (key share included immediately)
- 2Server → Client: ServerHello, Encrypted Certificate, Finished
- 3Client → Server: Finished
- 4Connection open — application data flows
The key difference: in TLS 1.3, the client includes its key share guess in the very first message (ClientHello), so the server can compute the session key immediately and begin encrypting from step 2. In TLS 1.2, the key material wasn't exchanged until step 3. The result: TLS 1.3 connections open in roughly half the round-trips, which on a 100 ms latency path saves a full 100 ms per new connection.
Security improvements
TLS 1.3 does not merely add new features — it removes entire categories of risk by eliminating the mechanisms that made past attacks possible.
TLS 1.2 allowed key exchange using the server's long-term RSA key directly. If an attacker recorded traffic and later obtained the private key, they could decrypt all past sessions. TLS 1.3 removes static RSA entirely. Every key exchange uses ephemeral Diffie-Hellman (DHE or ECDHE), which generates a fresh session key that is discarded after use. Past sessions cannot be decrypted even with the server's private key — this property is called forward secrecy.
RC4, DES, 3DES, export-grade ciphers, MD5 MACs, SHA-1 MACs, and CBC-mode ciphers without AEAD are all gone. These are the cipher suite families exploited by BEAST, POODLE, SWEET32, and similar attacks. TLS 1.3 accepts only five cipher suites, all using AEAD (Authenticated Encryption with Associated Data), which provides both confidentiality and integrity in a single operation.
In TLS 1.2, the server's certificate was sent in plaintext — visible to any network observer during the handshake. A passive eavesdropper could identify which site you were visiting even without decrypting application data. TLS 1.3 encrypts the certificate after the first round-trip, significantly reducing passive surveillance capability.
If a TLS 1.3 server falls back to TLS 1.2, the server places a sentinel value in the ServerRandom field that TLS 1.3-capable clients recognize as a downgrade. This makes it detectable when an active attacker forces a protocol downgrade, and TLS 1.3 clients can abort the connection rather than continue with the weaker version.
TLS-level compression was exploited by the CRIME and BREACH attacks. TLS 1.3 removes it entirely. If you need response compression, use HTTP-layer compression with proper mitigation (e.g., CSRF tokens in compressed bodies).
TLS 1.3 cipher suites
TLS 1.2 supported well over 300 cipher suite combinations — the product of multiple key-exchange algorithms, bulk encryption algorithms, and MAC algorithms. Many of those combinations were weak. TLS 1.3 defines exactly five cipher suites, all AEAD-based. The naming convention changes too: TLS 1.3 suites specify only the symmetric encryption and hash functions, because the key exchange is no longer part of the cipher suite (all exchanges use ephemeral DH).
| Cipher suite | Encryption | Hash | Common use |
|---|---|---|---|
| TLS_AES_128_GCM_SHA256 | AES-128-GCM | SHA-256 | Default — fastest on hardware AES |
| TLS_AES_256_GCM_SHA384 | AES-256-GCM | SHA-384 | High-security / government |
| TLS_CHACHA20_POLY1305_SHA256 | ChaCha20-Poly1305 | SHA-256 | Mobile / no hardware AES |
| TLS_AES_128_CCM_SHA256 | AES-128-CCM | SHA-256 | IoT / constrained environments |
| TLS_AES_128_CCM_8_SHA256 | AES-128-CCM-8 | SHA-256 | IoT (shorter tag) |
In practice you don't need to configure cipher suites for TLS 1.3 — the server and client negotiate the best available option automatically. This is a deliberate design choice: the old model of administrators hand-picking cipher suites was a major source of misconfiguration. If you want to learn how to read a suite name and which legacy TLS 1.2 suites to disable, see our guide to TLS cipher suites.
0-RTT resumption: speed vs safety trade-off
TLS 1.3 also introduces 0-RTT (zero round-trip time) resumption. When a client reconnects to a server it visited recently, it can send encrypted application data in the very first message — before the handshake completes. This eliminates handshake latency entirely for returning visitors.
0-RTT replay vulnerability
0-RTT data can be replayed by an attacker. Because the data is sent before the handshake's anti-replay mechanisms take effect, an adversary who captures the 0-RTT message can re-send it to the server. Only use 0-RTT for idempotent requests — GET and HEAD — and never for POST, PUT, DELETE, or any operation that changes server state. Most web servers disable 0-RTT by default for this reason.
Note that 0-RTT also breaks strict forward secrecy for the resumed session: the pre-shared key used for 0-RTT data derives from the previous session's key, so a compromise of that key can expose 0-RTT data. For most production sites, the performance gain of 0-RTT is modest (it only helps returning visitors) and the security trade-off isn't worth it. Enable it only after a deliberate application-layer review.
Browser and server support
TLS 1.3 is supported by all major browsers and web server software since 2019. In 2026, it is the default negotiated version for connections between modern clients and servers that advertise it.
Browser support (client-side)
- Chromesince 70 (Oct 2018)
- Firefoxsince 63 (Oct 2018)
- Safarisince 12.1 (Mar 2019)
- Edge (Chromium)since 79 (Jan 2020)
- Operasince 57 (Jan 2019)
- Samsung Internetsince 10.1 (2019)
Internet Explorer has no TLS 1.3 support. IE usage is below 1% globally; most teams safely ignore it.
Server-side requirements
- Nginx≥ 1.13.0 + OpenSSL ≥ 1.1.1
- Apache httpd≥ 2.4.36 + OpenSSL ≥ 1.1.1
- IIS≥ 10.0 (Windows Server 2016+)
- LiteSpeed≥ 5.3 (built-in support)
- HAProxy≥ 1.8 + OpenSSL ≥ 1.1.1
Run openssl version to confirm your OpenSSL version. OpenSSL 1.1.1 reached end-of-life in September 2023; upgrade to 3.x if possible.
Enable TLS 1.3 on Nginx
If you're new to Nginx SSL setup, start with our Nginx SSL installation guide first. To add TLS 1.3 to an existing Nginx config, update the ssl_protocols directive in your server block:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name yourdomain.com;
ssl_certificate /etc/ssl/yourdomain.crt;
ssl_certificate_key /etc/ssl/yourdomain.key;
# Enable TLS 1.2 and 1.3; disable 1.0, 1.1
ssl_protocols TLSv1.2 TLSv1.3;
# TLS 1.2 cipher suites (TLS 1.3 ciphers are auto-negotiated)
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
# Session resumption
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# HSTS (optional but recommended)
add_header Strict-Transport-Security "max-age=63072000" always;
}After editing, test and reload:
sudo nginx -t && sudo systemctl reload nginx
ssl_prefer_server_ciphers off is the correct setting for TLS 1.3. TLS 1.3 handles cipher preference differently from TLS 1.2, and letting the client choose produces better results on mobile (where ChaCha20 is faster than hardware-accelerated AES).
Adding HSTS alongside TLS 1.3 eliminates the remaining HTTP downgrade window and is strongly recommended for any production site.
Enable TLS 1.3 on Apache
See our Apache SSL installation guide for complete setup. To enable TLS 1.3 on an existing Apache virtual host, update your SSL directives:
<VirtualHost *:443>
ServerName yourdomain.com
SSLEngine on
SSLCertificateFile /etc/ssl/yourdomain.crt
SSLCertificateKeyFile /etc/ssl/yourdomain.key
SSLCACertificateFile /etc/ssl/ca-bundle.crt
# Enable TLS 1.2 and 1.3; disable older versions
SSLProtocol -all +TLSv1.2 +TLSv1.3
# TLS 1.2 cipher suites (TLS 1.3 ciphers are handled automatically)
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLSessionTickets off
# HSTS
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>Test and restart:
sudo apachectl configtest && sudo systemctl restart apache2
Apache 2.4.36+ reads TLS 1.3 cipher suites from OpenSSL automatically; you do not need to add them to SSLCipherSuite. The directive above only governs TLS 1.2 fallback ciphers.
Enable TLS 1.3 on IIS
IIS 10.0 on Windows Server 2022 enables TLS 1.3 by default. On Windows Server 2016 and 2019, TLS 1.3 may require a manual registry edit. See our IIS 10+ SSL installation guide for the full certificate setup context.
To enable TLS 1.3 via the Windows Registry, open regedit.exe as Administrator and navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Create the following key structure if it doesn't exist, then create DWORD values:
# TLS 1.3 Server (enable) Protocols\TLS 1.3\Server Enabled = 1 (DWORD) DisabledByDefault = 0 (DWORD) # TLS 1.3 Client (enable) Protocols\TLS 1.3\Client Enabled = 1 (DWORD) DisabledByDefault = 0 (DWORD) # TLS 1.0 Server (disable) Protocols\TLS 1.0\Server Enabled = 0 (DWORD) DisabledByDefault = 1 (DWORD) # TLS 1.1 Server (disable) Protocols\TLS 1.1\Server Enabled = 0 (DWORD) DisabledByDefault = 1 (DWORD)
Restart the server after making registry changes. Alternatively, use IIS Crypto (a free tool from Nartac Software) for a GUI-based approach — it automates the registry edits and supports applying Mozilla's recommended cipher suite profiles.
Verify your TLS 1.3 configuration
After enabling TLS 1.3, confirm it's negotiated correctly using one of these methods:
OpenSSL command-line test
# Test TLS 1.3 connection openssl s_client -connect yourdomain.com:443 -tls1_3 # Confirm protocol in the output — look for: # Protocol : TLSv1.3 # Cipher : TLS_AES_128_GCM_SHA256
Online tools
- SSL Labs Server Test — the most comprehensive grader. Shows TLS version support, cipher suites, forward secrecy, and HSTS. An A+ grade requires TLS 1.3, no weak protocols, and HSTS.
- My-SSL SSL Checker — confirms your certificate is installed correctly and shows the negotiated TLS version alongside expiry and chain information.
If SSL Labs shows TLS 1.0 or 1.1 as supported, your configuration change did not take effect — check for multiple configuration files or a server-level override. On Nginx, a globalssl_protocolsin nginx.conf can override per-server-block settings.
Next steps
- Enable HSTS to prevent HTTP downgrade attacks entirely.
- Check your certificate renewal process — with 199-day lifetimes, automation matters more than ever.
- Enable OCSP stapling to deliver revocation proofs in the TLS handshake and improve your SSL Labs grade.
- Understand the basics: SSL vs TLS vs HTTPS explains what these terms mean and how they relate.