
Photo: libre-software.net. License: CC BY-SA 4.0
How to remove TLSv1.0 / 1.1 and enable TLS 1.3 in Nginx …
… on Ubuntu 20.04, 22.04 or 24.04
Last updated on June 8, 2024
In this tutorial, we will:
These changes should not affect servers using Let’s Encrypt / Certbot. Please BACKUP your server / websites now!
1. Disable TLS v1.0 and TLS v1.1, enable TLS v1.3
Should I really disable TLS v1.0 and TLS v1.1?
Disabling TLS 1.1 and 1.1 and improving cipher strength will cause problems for a small percentage of your audience: those using deprecated browsers / OS versions. On this example I disabled TLSv1 & v1.1 and removed weak ciphers on a server, resulting in several audience “losses”:

As of May 07, 2024, some of the biggest Websites (Google, Facebook) still support TLSv1.0 and TLSv1.1 as well as weaker cipher suites – maybe they have good reasons to do so. Twitter and Wikipedia have already removed TLS 1.0 and 1.1 support.
If I disable TLS v1.0 and TLS v1.1, should I enable TLS v1.3?
Yes, you should definitely enable TLS v1.3 – even if you keep TLS 1.0 / 1.1. TLS 1.3 is faster than version 1.2, and it is already supported by most mainstream browsers (screenshot taken on May 7, 2024):

Use the following link to check the current browser support of TLS 1.3 on “Can I use”: Can I use TLS 1.3?
Disable TLS 1.0 / 1.1 and enable TLS 1.3
We are going to edit at least two different configuration files:
/etc/nginx/nginx.conf
/etc/nginx/sites-available/example.com
(or/default
)
If you use Certbot / Let’s Encrypt, we may also edit this third configuration file:
/etc/letsencrypt/options-ssl-nginx.conf
Step 1: edit nginx.conf
First, backup the nginx.conf
configuration file:sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.backup-tls
Then edit this configuration file, for example with Nano:sudo nano /etc/nginx/nginx.conf
Look for the following line within a http { }
block. This line may (or may not) be commented after a hash as follows:ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
Simply remove TLSv1 TLSv1.1
from the line. Add TLSv1.3
, the line now should look like this:ssl_protocols TLSv1.2 TLSv1.3;
Save the file by typing Ctrl + O, then ⏎ Enter and finally Ctrl + X to exit.
Check if the Nginx configuration is valid:nginx -t
Reload Nginx:sudo service nginx reload
As a last step, check if TLS 1.0 and 1.1 are effectively disabled on your host, for example using the SSL Labs server testing service. Step 1 may already be sufficient in some configurations.
What if TLS 1.0 and 1.1 are still NOT disabled?
Go on with step 2.
Step 2: edit the server block configuration file
Old SSL protocols may still be active in the server block configuration. Find your server configuration file:cd /etc/nginx/sites-available/
ls -l
Edit the server block configuration, for example:sudo nano /etc/nginx/sites-available/default
ORsudo nano /etc/nginx/sites-available/example.com
Again, look for the following line:ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Remove the protocols marked in red, add TLSv1.3
to get the following line:ssl_protocols TLSv1.2 TLSv1.3;
Save the file and exit nano ( Ctrl + O , ⏎ Enter , Ctrl + X ), test the configuration, reload Nginx, and test your Website.nginx -t
sudo service nginx reload
What if you can’t find the ssl_protocols
line in this file?
Go on with step 3.
Step 3: edit options-ssl-nginx.conf
If you use Certbot to generate or renew Let’s Encrypt certificates, you probably won’t find the ssl_protocols
line, but the following “include” command:include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
Exit nano without saving ( Ctrl + X ) and edit the Let’s Encrypt shared SSL settings:sudo nano /etc/letsencrypt/options-ssl-nginx.conf
This configuration file is short:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
Again, remove TLSv1 and TLSv1.1
in the following line and add TLSv1.3
:ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
The line should look like this:ssl_protocols TLSv1.2 TLSv1.3;
Test the configuration, reload Nginx and test your Website.nginx -t
sudo service nginx reload
Did these changes affect Certbot / Let’s Encrypt certifications renewals?
Check if renewal works using:sudo certbot renew --dry-run
However, this check may be insufficient in our case. Please BACKUP your website before forcing a cert renewal:certbot renew --force-renewal
In my experience, there were no problems with Certbot after making TLS version changes.
2. Enable HTTP/2 in Nginx
This part is really easy. First check your Nginx version:nginx -v
To run HTTP/2, you must use Nginx version 1.9.5 or later – which should be no problem on Ubuntu 18.04 and later releases. You websites should also use SSL/TLS encryption.
Edit the server block configuration, for example:sudo nano /etc/nginx/sites-available/default
OR
sudo nano /etc/nginx/sites-available/example.com
Look for the following lines within the server { }
block:
# SSL configuration
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
If you use Certbot, these lines will probably be at the end of the file and look like this:
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
Simply add http2
after 443 ssl
on both lines. In the second example (Certbot), it should now like like this:
listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
Save the file and exit nano ( Ctrl + O , ⏎ Enter , Ctrl + X ), test the Nginx configuration and reload Nginx:nginx -t
sudo service nginx reload
Test if HTTP/2 is active
To test if HTTP/2 has been successfully enabled, you for example use KeyCDN’s (free) online tool:
KeyCDN HTTP/2 Test Tool
By the way, HTTP/3 is coming: experimental support is available in Nginx 1.25 and has already made its way to all major browsers (except Safari), see Can I use HTTP/3.
3. Improve Nginx security
This part of the tutorial assumes you use Let’s Encrypt with Certbot.
3.1. Edit the Let's Encrypt shared SSL settings (options-ssl-nginx.conf)
Open the Let’s Encrypt shared SSL settings file:
sudo nano /etc/letsencrypt/options-ssl-nginx.conf
Improve SSL session cache, disable SSL session tickets
SSL shared session cache is already active in the default Certbot configuration. Modify the SSL session cache to increase cache and reduce timeout:
ssl_session_cache shared:le_nginx_SSL:40m; # holds approx 40 x 4000 sessions
ssl_session_timeout 2h;
ssl_session_tickets off;
Use a stronger cipher suite
Replace the default cipher suite in the Let’s Encrypt shared SSL settings. Even the “Old” cipher suite in Mozilla’s SSL Configuration Generator is stronger than Let’s Encrypt default cipher list. Mozilla’s “Intermediate” list for TLS v1.2 could be a good choice:ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
3.2. Edit the server block configuration
Edit the server block configuration, for example:sudo nano /etc/nginx/sites-available/default
OR
sudo nano /etc/nginx/sites-available/example.com
(Give up) OCSP stapling
Update! OCSP stapling seems to be useless:
SSL certificate revocation and how it is broken in practice
Mozilla’s Web Security Cheat Sheet doesn’t even mention OCSP stapling anymore:
Web Security Cheat Sheet
Websites like Twitter, Facebook and Google don’t use OCSP stapling (but Wikipedia does).
If you still want to use OCSP stapling, edit the server block configuration, for example:sudo nano /etc/nginx/sites-available/example.com
Adapt and add the following lines:# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
HTTP Strict Transport Security (HSTS)
Inside the server {}
block, add the following lines:
# HSTS (63072000 seconds = 2 years)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;
or for one year:
# HSTS (31536000 seconds = 1 year)
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;" always;
Be careful with HSTS preloading!
“Be aware that once you set the STS header or submit your domains to the HSTS preload list, it is impossible to remove it. It’s a one‑way decision to make your domains available over HTTPS.” Read more at:
Activating HSTS preloading should be considered thoroughly. In this guide we chose not to use HSTS preloading.
X-Content-Type-Options and X-Frame-Options
Add the following lines to the server {}
block:
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
That’s it! Now it’s time to check your SSL Labs rating!
Useful SSL resources:
- Mozilla’s SSL Configuration Generator: a fantastic tool to generate Nginx (and Apache) SSL configurations. Follow this link for an example with Nginx Stable 1.24, OpenSSL 1.1.1 and only TLSv1.2 and TLSv1.3.
- Mozilla’s Web Security Cheat Sheet
By Johannes Eva, November 2019 – June 2024
29 thoughts on “How to Install Firefox on Linux Mint, Ubuntu, Debian or any other Linux distribution”
I was wanting to update Firefox on my Ubuntu Trusty (14.04). I finally came across this article and … tahdah. Now I have Firefox 83 installed and working perfectly. Thank you so much for this article. One question – can I also install the latest Thunderbird in the same manner?
And please folks, no comments like – just upgrade to the newest Ubuntu. Trusty works perfect. I have Apache installed and it works perfect also. So why should I update/upgrade to a newer version when I have perfection now. You know the old saying – If it works don’t fix it.
Thank you John! Yes, Thunderbird can be installed/upgraded the same way 🙂
Hello, I’m French.
It’s hard to me to understand English so when it’s electronic language, it’s very very hard. But I tried (even if I doesn’t understand, even while translating). And when I tried, I succeed to extract the file (yeeaah!) but I can’t move Firefox to
/opt
, it says “no such file or directory” like Kurman (an other user). But how am I doing now ? I search a lot of solutions and nothing works. Netflix doesn’t want to work with my old Firefox (the 66.0.3 version). Am I going to get there someday? After Netflix, it will be some important things…Please, help me. (Once I could watch Netflix…)
Thanks for the article!
You may have to create the
/opt
directory first:sudo mkdir /opt
Good luck!
Note: When the default version of Firefox is upgraded by the system, the symlink
/usr/bin/firefox
is overwritten and you will either have re-create it or just lock the currently installed version in Synaptic to prevent that from happening altogether:Great article. In the case of Firefox newer is better. Every update since Quantum debuted has brought it closer to perfection. Oh, I think it may be ‘inexperienced’, rather than ‘unexperienced’. Regardless, the advice is sound.
It’s always best for newbies to practice caution. Then again, it took a few self inflicted system meltdowns to really start getting the hang of this Linux thing.
Thank you for your comment and for the correction!
If I just remove the old Firefox folder in
/opt
, what about my favorites settings? Am I gonna lost it all?@Rafael: no, you won’t loose your Firefox settings. These are stored in your profile folder. On Linux, you profile folder is in your home directory, in the
.mozilla/firefox
sub-folder. You may need to show hidden files and folders (use Ctrl + H or the “View” menu) to navigate to the profile folder.If you only have one profile, its folder has “default” in the name. The complete path of the Firefox profile folder will be something like:
/home/user_name/.mozilla/firefox/random_string.default
This folder allows for an awful lot of flexibility, for example you can:
Is easier get it there: https://packages.debian.org/sid/amd64/firefox/download
Thank you, this is indeed useful. Installing Firefox from .deb packages is also a viable option. Keep in mind that the recommendation is the same as when installing from the tar.gz archive: “it is strongly suggested to use a package manager like aptitude or synaptic to download and install packages, instead of doing so manually via this website.”
Make friends with the terminal!
Sure, it’s been quite some time since 2015: Users must extract from the “tar” archive and use a password-enabled (root) terminal (or sudo) to perform the subsequent file actions. Simply invoking a file manager and then copying/pasting won’t work.
The reason Debian users end up here:
Note that Debian’s repository version of Firefox still is named “firefox-esr,” not simply “firefox” (Before, it was “iceweasel” – a legality, still in effect with firefox-esr): Debian proves perhaps the most conservative distro in the Linux realm. As was noted in an old saying: “They wear both a belt and suspenders!”
The problem is that institutions performing secure transactions (say, global financial corporations) – along with many still-perplexed users (who generally aren’t bare novices) – dislike legacy browser versions. Debian purists dislike the corporate bent of Mozilla’s Firefox development. (After all, it’s firefox.com, not firefox.org.)
Thank you. Simple, clear and helpful. Works for me on Linux Mint (64 Bit)
I’ve extracted the file but I can’t move it to
/opt
, it says no such file or directory.Kumar, you’re probably in the wrong directory when running the
move
command – or using the wrong file name. Using the TAB key to autocomplete the file name helps to know if you’re right: if it autocompletes the file or directory names, it’s right, else it’s wrong. Of course, listing files with thels
command also shows if you have extracted the archive correctly.For future reference,
tar xf file
will deal with the compression without having to specify it.Pingback: Install the latest FireFox in CentOS 7 - UncleNinja
Pingback: Upgrade Firefox di Linux Mint | Catatan dan Wiki Personal
FF 45 in Mint does not open groups of tabs anymore. So that seems broken.
I went back to a former version. The repository only offered FF 28… But this one still works.
The Tab Groups (Panorama) feature has been discontinued. There are Firefox add-ons with similar features, check the official announcement from Mozilla:
https://support.mozilla.org/en-US/kb/tab-groups-removal
I have other problem 🙂 I unpacked firefox (did same with thunderbird), created symbolic links and everything, but still, when I run firefox or thunderbird, it said it is not default browser/email client and I can’t turn it off. It is not really functional problem, but it is reaaaaaally annoying 🙂 in preffered applications is set firefox and thunderbird (the original mint firefox and thunderbird don’t have this problem), is there any way (and I am sure there is) how to set unzipped TB and FF as default? BTW I am using common profiles for windows and for mint 17.3 in both applications. THX 🙂
I figured out something, I turned off check for default application in settings (during start of application, it ignored it 🙂 ) I hope it will work
I really do try to like Linux… but I just can’t understand why I can’t just UPDATE my firefox in one click? The version is there – why do I need to start entering commands and copying folders for something as trivial as that?
Well, in fact this tutorial is for advanced users, most of which are installing Firefox on their own on custom Linux systems. Or trying Firefox Beta/Aurora or other special versions of Firefox.
In your case you’re probably using mainstream distributions such are Ubuntu, Linux Mint, Debian, OpenSuse, Fedora, … The package manager of your distro will take care of updating Firefox by itself, when when the new Ffox version has been tested for compatibility with your distro, so that it doesn’t break anything. On Ubuntu or Linux Mint, for example, it takes just a few days after the official release.
Please do NOT use this guide to update Firefox by hand if you’re just a “normal” user or a Linux beginner. Just apply the normal updates (as you should always do) for your distribution and you’ll get the new Firefox version. I’ll try to make a version of this guide for beginners and normal users soon, as it seems to be really confusing. Sorry for that.
You state here, and I’ve seen in other places, that Debian-based package managers will release firefox updates “just a few days after the official release”. That has not been my experience. I run Linux Mint 17.3, and as of today (4/30/2016), my firefox from the package manager is version 42.0. The following version (43.0) was released 4.5 months ago on December 15th, and version 46.0 was released this week. What am I missing?
I also run Mint 17.3, the Firefox version is 45 and it should be updated to 46 very soon. I can’t explain why you’re stuck with an older version. I suppose you ran
sudo apt-get update
? If nothing else works, I would suggest to install the newest Firefox version manually as described in this guide.Update: The update to Firefox 46 just showed up in the update manager. It took 4 days to the Linux Mint team to check and distribute the update, which is fine.
Pingback: How to install Firefox 43 on Linux Mint, Ubuntu, Debian, CentOS, Fedora - Free Networking Tutorials, Free System Administration Tutorials and Free Security Tutorials
How do I upgrade the current installation with the tar.b2? I’m on Ubuntu-Mate-15.10 & it doesn’t appear to be in the /opt directory.
Ubuntu will take care of Firefox upgrades automatically, you don’t have to do it manually. It may take a few days after the official release for the Firefox upgrade to show on, because the Ubuntu folks have to test the new release with Ubuntu.
There is no Firefox install in
/opt
by default, as this is where admins/users are supposed to install optional software. If you did not install anything in/opt
manually, nothing show up there, which is normal.Hope this helps!