How to remove TLSv1.0 / 1.1 and enable TLS 1.3 in Nginx …

… on Ubuntu 20.04, 22.04 or 24.04

Last updated on June 8, 2024

In this tutorial, we will:

These changes should not affect servers using Let’s Encrypt / Certbot. Please BACKUP your server / websites now!

1. Disable TLS v1.0 and TLS v1.1, enable TLS v1.3

Should I really disable TLS v1.0 and TLS v1.1?

Disabling TLS 1.1 and 1.1 and improving cipher strength will cause problems for a small percentage of your audience: those using deprecated browsers / OS versions. On this example I disabled TLSv1 & v1.1 and removed weak ciphers on a server, resulting in several audience “losses”:

Disable TLS v1.0 and TLS v1.1 in Nginx on Ubuntu

As of May 07, 2024, some of the biggest Websites (Google, Facebook) still support TLSv1.0 and TLSv1.1 as well as weaker cipher suites – maybe they have good reasons to do so. Twitter and Wikipedia have already removed TLS 1.0 and 1.1 support.

If I disable TLS v1.0 and TLS v1.1, should I enable TLS v1.3?

Yes, you should definitely enable TLS v1.3 – even if you keep TLS 1.0 / 1.1. TLS 1.3 is faster than version 1.2, and it is already supported by most mainstream browsers (screenshot taken on May 7, 2024):

Enable TLS v1.3 in Nginx on Ubuntu Server

Use the following link to check the current browser support of TLS 1.3 on “Can I use”: Can I use TLS 1.3?

Disable TLS 1.0 / 1.1 and enable TLS 1.3

We are going to edit at least two different configuration files:

  • /etc/nginx/nginx.conf
  • /etc/nginx/sites-available/example.com (or /default)

If you use Certbot / Let’s Encrypt, we may also edit this third configuration file:

  • /etc/letsencrypt/options-ssl-nginx.conf

Step 1: edit nginx.conf

First, backup the nginx.conf configuration file:
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.backup-tls

Then edit this configuration file, for example with Nano:
sudo nano /etc/nginx/nginx.conf

Look for the following line within a http { } block. This line may (or may not) be commented after a hash as follows:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE

Simply remove TLSv1 TLSv1.1 from the line. Add TLSv1.3, the line now should look like this:
ssl_protocols TLSv1.2 TLSv1.3;

Save the file by typing Ctrl + O, then ⏎ Enter and finally Ctrl + X to exit.

Check if the Nginx configuration is valid:
nginx -t

Reload Nginx:
sudo service nginx reload

As a last step, check if TLS 1.0 and 1.1 are effectively disabled on your host, for example using the SSL Labs server testing service. Step 1 may already be sufficient in some configurations.

What if TLS 1.0 and 1.1 are still NOT disabled?

Go on with step 2.

Step 2: edit the server block configuration file

Old SSL protocols may still be active in the server block configuration. Find your server configuration file:
cd /etc/nginx/sites-available/
ls -l

Edit the server block configuration, for example:
sudo nano /etc/nginx/sites-available/default
OR
sudo nano /etc/nginx/sites-available/example.com

Again, look for the following line:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Remove the protocols marked in red, add TLSv1.3 to get the following line:
ssl_protocols TLSv1.2 TLSv1.3;

Save the file and exit nano ( Ctrl + O , ⏎ Enter , Ctrl + X ), test the configuration, reload Nginx, and test your Website.
nginx -t
sudo service nginx reload

What if you can’t find the ssl_protocols line in this file?

Go on with step 3.

Step 3: edit options-ssl-nginx.conf

If you use Certbot to generate or renew Let’s Encrypt certificates, you probably won’t find the ssl_protocols line, but the following “include” command:
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

Exit nano without saving ( Ctrl + X ) and edit the Let’s Encrypt shared SSL settings:
sudo nano /etc/letsencrypt/options-ssl-nginx.conf

This configuration file is short:

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

Again, remove TLSv1 and TLSv1.1 in the following line and add TLSv1.3:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

The line should look like this:
ssl_protocols TLSv1.2 TLSv1.3;

Test the configuration, reload Nginx and test your Website.
nginx -t
sudo service nginx reload

Did these changes affect Certbot / Let’s Encrypt certifications renewals?

Check if renewal works using:
sudo certbot renew --dry-run

However, this check may be insufficient in our case. Please BACKUP your website before forcing a cert renewal:
certbot renew --force-renewal

In my experience, there were no problems with Certbot after making TLS version changes.

2. Enable HTTP/2 in Nginx

This part is really easy. First check your Nginx version:
nginx -v

To run HTTP/2, you must use Nginx version 1.9.5 or later – which should be no problem on Ubuntu 18.04 and later releases. You websites should also use SSL/TLS encryption.

Edit the server block configuration, for example:
sudo nano /etc/nginx/sites-available/default
OR
sudo nano /etc/nginx/sites-available/example.com

Look for the following lines within the server { } block:

# SSL configuration
listen 443 ssl default_server;
listen [::]:443 ssl default_server;

If you use Certbot, these lines will probably be at the end of the file and look like this:

listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot

Simply add http2 after 443 ssl on both lines. In the second example (Certbot), it should now like like this:

listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
listen 443 ssl http2; # managed by Certbot

Save the file and exit nano ( Ctrl + O , ⏎ Enter , Ctrl + X ), test the Nginx configuration and reload Nginx:
nginx -t
sudo service nginx reload

Test if HTTP/2 is active

To test if HTTP/2 has been successfully enabled, you for example use KeyCDN’s (free) online tool:
KeyCDN HTTP/2 Test Tool

By the way, HTTP/3 is coming: experimental support is available in Nginx 1.25 and has already made its way to all major browsers (except Safari), see Can I use HTTP/3.

3. Improve Nginx security

This part of the tutorial assumes you use Let’s Encrypt with Certbot.

3.1. Edit the Let's Encrypt shared SSL settings (options-ssl-nginx.conf)

Open the Let’s Encrypt shared SSL settings file:
sudo nano /etc/letsencrypt/options-ssl-nginx.conf

Improve SSL session cache, disable SSL session tickets

SSL shared session cache is already active in the default Certbot configuration. Modify the SSL session cache to increase cache and reduce timeout:

ssl_session_cache shared:le_nginx_SSL:40m; # holds approx 40 x 4000 sessions
ssl_session_timeout 2h;
ssl_session_tickets off;

Use a stronger cipher suite

Replace the default cipher suite in the Let’s Encrypt shared SSL settings. Even the “Old” cipher suite in Mozilla’s SSL Configuration Generator is stronger than Let’s Encrypt default cipher list. Mozilla’s “Intermediate” list for TLS v1.2 could be a good choice:
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

3.2. Edit the server block configuration

Edit the server block configuration, for example:
sudo nano /etc/nginx/sites-available/default
OR
sudo nano /etc/nginx/sites-available/example.com

(Give up) OCSP stapling

Update! OCSP stapling seems to be useless:
SSL certificate revocation and how it is broken in practice

Mozilla’s Web Security Cheat Sheet doesn’t even mention OCSP stapling anymore:
Web Security Cheat Sheet

Websites like Twitter, Facebook and Google don’t use OCSP stapling (but Wikipedia does).

If you still want to use OCSP stapling, edit the server block configuration, for example:
sudo nano /etc/nginx/sites-available/example.com

Adapt and add the following lines:
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

HTTP Strict Transport Security (HSTS)

Inside the server {} block, add the following lines:

# HSTS (63072000 seconds = 2 years)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;

or for one year:

# HSTS (31536000 seconds = 1 year)
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;" always;

Be careful with HSTS preloading!

“Be aware that once you set the STS header or submit your domains to the HSTS preload list, it is impossible to remove it. It’s a one‑way decision to make your domains available over HTTPS.” Read more at:

Activating HSTS preloading should be considered thoroughly. In this guide we chose not to use HSTS preloading.

X-Content-Type-Options and X-Frame-Options

Add the following lines to the server {} block:

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

That’s it! Now it’s time to check your SSL Labs rating!

Useful SSL resources:

By Johannes Eva, November 2019 – June 2024

Articles by categories

Most Read Articles

Comments

29 thoughts on “How to Install Firefox on Linux Mint, Ubuntu, Debian or any other Linux distribution”

  1. I was wanting to update Firefox on my Ubuntu Trusty (14.04). I finally came across this article and … tahdah. Now I have Firefox 83 installed and working perfectly. Thank you so much for this article. One question – can I also install the latest Thunderbird in the same manner?
    And please folks, no comments like – just upgrade to the newest Ubuntu. Trusty works perfect. I have Apache installed and it works perfect also. So why should I update/upgrade to a newer version when I have perfection now. You know the old saying – If it works don’t fix it.

  2. Hello, I’m French.
    It’s hard to me to understand English so when it’s electronic language, it’s very very hard. But I tried (even if I doesn’t understand, even while translating). And when I tried, I succeed to extract the file (yeeaah!) but I can’t move Firefox to /opt, it says “no such file or directory” like Kurman (an other user). But how am I doing now ? I search a lot of solutions and nothing works. Netflix doesn’t want to work with my old Firefox (the 66.0.3 version). Am I going to get there someday? After Netflix, it will be some important things…

    Please, help me. (Once I could watch Netflix…)

    Thanks for the article!

  3. Note: When the default version of Firefox is upgraded by the system, the symlink /usr/bin/firefox is overwritten and you will either have re-create it or just lock the currently installed version in Synaptic to prevent that from happening altogether:

  4. Great article. In the case of Firefox newer is better. Every update since Quantum debuted has brought it closer to perfection. Oh, I think it may be ‘inexperienced’, rather than ‘unexperienced’. Regardless, the advice is sound.

    It’s always best for newbies to practice caution. Then again, it took a few self inflicted system meltdowns to really start getting the hang of this Linux thing.

    1. @Rafael: no, you won’t loose your Firefox settings. These are stored in your profile folder. On Linux, you profile folder is in your home directory, in the .mozilla/firefox sub-folder. You may need to show hidden files and folders (use Ctrl + H or the “View” menu) to navigate to the profile folder.

      If you only have one profile, its folder has “default” in the name. The complete path of the Firefox profile folder will be something like:
      /home/user_name/.mozilla/firefox/random_string.default

      This folder allows for an awful lot of flexibility, for example you can:

      • backup it,
      • copy it to a new system, and even
      • share it between a Linux and a Windows system (if it’s located within an NTFS file system).
    1. Thank you, this is indeed useful. Installing Firefox from .deb packages is also a viable option. Keep in mind that the recommendation is the same as when installing from the tar.gz archive: “it is strongly suggested to use a package manager like aptitude or synaptic to download and install packages, instead of doing so manually via this website.”

  5. Geoffrey Morrison

    Make friends with the terminal!

    Sure, it’s been quite some time since 2015: Users must extract from the “tar” archive and use a password-enabled (root) terminal (or sudo) to perform the subsequent file actions. Simply invoking a file manager and then copying/pasting won’t work.

    The reason Debian users end up here:

    Note that Debian’s repository version of Firefox still is named “firefox-esr,” not simply “firefox” (Before, it was “iceweasel” – a legality, still in effect with firefox-esr): Debian proves perhaps the most conservative distro in the Linux realm. As was noted in an old saying: “They wear both a belt and suspenders!”

    The problem is that institutions performing secure transactions (say, global financial corporations) – along with many still-perplexed users (who generally aren’t bare novices) – dislike legacy browser versions. Debian purists dislike the corporate bent of Mozilla’s Firefox development. (After all, it’s firefox.com, not firefox.org.)

    1. Kumar, you’re probably in the wrong directory when running the move command – or using the wrong file name. Using the TAB key to autocomplete the file name helps to know if you’re right: if it autocompletes the file or directory names, it’s right, else it’s wrong. Of course, listing files with the ls command also shows if you have extracted the archive correctly.

  6. Pingback: Install the latest FireFox in CentOS 7 - UncleNinja

  7. Pingback: Upgrade Firefox di Linux Mint | Catatan dan Wiki Personal

  8. FF 45 in Mint does not open groups of tabs anymore. So that seems broken.
    I went back to a former version. The repository only offered FF 28… But this one still works.

  9. I have other problem 🙂 I unpacked firefox (did same with thunderbird), created symbolic links and everything, but still, when I run firefox or thunderbird, it said it is not default browser/email client and I can’t turn it off. It is not really functional problem, but it is reaaaaaally annoying 🙂 in preffered applications is set firefox and thunderbird (the original mint firefox and thunderbird don’t have this problem), is there any way (and I am sure there is) how to set unzipped TB and FF as default? BTW I am using common profiles for windows and for mint 17.3 in both applications. THX 🙂

    1. I figured out something, I turned off check for default application in settings (during start of application, it ignored it 🙂 ) I hope it will work

  10. I really do try to like Linux… but I just can’t understand why I can’t just UPDATE my firefox in one click? The version is there – why do I need to start entering commands and copying folders for something as trivial as that?

    1. Well, in fact this tutorial is for advanced users, most of which are installing Firefox on their own on custom Linux systems. Or trying Firefox Beta/Aurora or other special versions of Firefox.

      In your case you’re probably using mainstream distributions such are Ubuntu, Linux Mint, Debian, OpenSuse, Fedora, … The package manager of your distro will take care of updating Firefox by itself, when when the new Ffox version has been tested for compatibility with your distro, so that it doesn’t break anything. On Ubuntu or Linux Mint, for example, it takes just a few days after the official release.

      Please do NOT use this guide to update Firefox by hand if you’re just a “normal” user or a Linux beginner. Just apply the normal updates (as you should always do) for your distribution and you’ll get the new Firefox version. I’ll try to make a version of this guide for beginners and normal users soon, as it seems to be really confusing. Sorry for that.

    2. You state here, and I’ve seen in other places, that Debian-based package managers will release firefox updates “just a few days after the official release”. That has not been my experience. I run Linux Mint 17.3, and as of today (4/30/2016), my firefox from the package manager is version 42.0. The following version (43.0) was released 4.5 months ago on December 15th, and version 46.0 was released this week. What am I missing?

    3. I also run Mint 17.3, the Firefox version is 45 and it should be updated to 46 very soon. I can’t explain why you’re stuck with an older version. I suppose you ran sudo apt-get update? If nothing else works, I would suggest to install the newest Firefox version manually as described in this guide.

      Update: The update to Firefox 46 just showed up in the update manager. It took 4 days to the Linux Mint team to check and distribute the update, which is fine.

  11. Pingback: How to install Firefox 43 on Linux Mint, Ubuntu, Debian, CentOS, Fedora - Free Networking Tutorials, Free System Administration Tutorials and Free Security Tutorials

    1. Ubuntu will take care of Firefox upgrades automatically, you don’t have to do it manually. It may take a few days after the official release for the Firefox upgrade to show on, because the Ubuntu folks have to test the new release with Ubuntu.

      There is no Firefox install in /opt by default, as this is where admins/users are supposed to install optional software. If you did not install anything in /opt manually, nothing show up there, which is normal.
      Hope this helps!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.