Get stronger security and higher SSL score by installing TLS 1.3, HTTP/2 and Diffie-Hellman

Having stronger security is always better than not.  Definitely nothing to lose.  I believe Google may even rank your website higher for having stronger encryption security.

This article provide instruction how to install TLS version 1.3, HTTP/2 and Diffie-Hellman key exchange.

Also as a bonus, we will specify a specific list of ciphers that we prefer to use.

This article will assume you are using Ubuntu 18.04 or above and NGINX 1.15 or above.

STEP 1 - CONFIGURING NGINX TO USE TLS 1.3

ssl_protocols TLSv1.3 TLSv1.2;

STEP 2 - Specify cipher suites using ECDHE (Ephemeral) Elliptic-Curve and Diffie-Hellman key exchange
ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

STEP 3 - CONFIGURING NGINX TO USE HTTP/2

Enable HTTP v2 by adding 'http2' at the end of the listen directive inside your nginx server block.




server {

 listen 80;
 listen 443 ssl http2;

}




STEP 4 - GENERATE DIFFIE-HELLMAN CERTIFICATE


cd /etc/ssl
openssl dhparam -out dhparams.pem 4096



chown root:nginx dhparams.pem






STEP 5 - CONFIGURE NGINX TO USE DIFFIE-HELLMAN
# Use Diffie-Hellman and DHE cipher suites
ssl_dhparam /etc/ssl/dhparams.pem;







Once all of the above steps have been performed, restart your NGINX server using



systemctl restart nginx




or check the syntax first using command



nginx -t





Your server should now be using TLS 1.3, HTTP v2 and Diffie-Hellman which are the strongest SSL settings as of 5/11/19.