Understanding TLS 1.3

Understand how TLS 1.3 improves security and latency over previous TLS versions.  Learn how to enable TLS 1.3 for your Cloudflare domain. 


Overview

TLS 1.3 is the newest and most secure version of the TLS protocol. It has improved latency over older versions and several new features.  TLS 1.3 is currently supported in both Chrome (starting with release 66) and Firefox (starting with release 60) and in development for Safari and Edge browsers.


Enabling TLS 1.3

Enable TLS 1.3 (with or without 0-RTT) in the TLS 1.3 section of the Edge Certificates tab of the Cloudflare SSL/TLS app.

0-RTT is a feature that improves performance for clients who have previously connected to your website. It allows the client's first request to be sent before the TLS connection is fully established, resulting in faster connection times.

It is possible for an attacker to replay the first request sent with 0-RTT. This could result in Cloudflare sending the same requests multiple times to the origin. To help identify when a request has been replayed, Cloudflare includes a new header named Early-Data on all requests that were sent over 0-RTT. In this case, the header would have a value of 1. You can use this header to decide on whether to accept a particular request sent during the 0-RTT connection phase.

To enable TLS 1.3 in the Chrome browser:

  1. In the address bar, enter chrome://flags and press Enter.
  2. Scroll to locate the TLS 1.3 entry, and set it to Enabled. You will say a message saying that the change will take effect the next time you relaunch Chrome.
  3. Click RELAUNCH NOW to re-start Chrome.

After enabling TLS 1.3, visit a site with TLS 1.3 enabled over HTTPS. Then:

  1. Open Chrome Developer Tools.
  2. Click the Security tab.
  3. Reload the page (Command-R in Mac OS, Ctrl-R in Windows).
  4. Click on the site under Main origin.
  5. Look on the right-hand tab under Connection to confirm that TLS 1.3 is listed as the protocol (see image below).

tls1.3_chrome_dev_tools_security.png

For Firefox:

  1. In the address bar, enter about:config and click to accept the warranty warning.
  2. Search for security.tls.version.max and set it from the default value of 3 to 4.

After enabling TLS 1.3, visit a site with TLS 1.3 enabled over HTTPS. Then:

  1. Click the green lock icon in the address bar, then >.
  2. Click More Information.
  3. Under Technical Details, verify that the TLS version is TLS 1.3 (see image below).

tls1.3_firefox_more_info_security_ann.png

Since TLS 1.3 implementations are relatively new, some failures may occur.  If you experience errors, submit a Cloudflare Support ticket with the following information:

  • Steps to replicate the issue (if possible)
  • Client build version
  • Client diagnostic information
  • Packet captures

Chrome users should submit a net-internals trace to Google. Firefox users should report bugs to Mozilla


Related resources

You get TLS 1.3! You get TLS 1.3! Everyone gets TLS 1.3!

 

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk