TLS 1.3 vs TLS 1.2: What Changed and How to Migrate Correctly

TLS 1.3 vs TLS 1.2: What Changed and How to Migrate Correctly

TLS 1.3 was published in 2018 (RFC 8446) and by 2026 serves 90%+ of SSL/TLS проверку traffic. It is faster, safer, and simpler than TLS 1.2. If your site still runs only on TLS 1.2 — you're losing hundreds of milliseconds per user and lagging behind best practice. This guide covers the differences, the migration path, and backward-compatibility pitfalls.

Key differences from TLS 1.2

1. One RTT handshake instead of two

TLS 1.2 needs 2 round trips: ClientHello → ServerHello+Certificate → ClientKeyExchange+Finished → Finished. TLS 1.3 collapses this: ClientHello already includes a key share; the server responds with ServerHello+Certificate+Finished in one RTT. On resumed connections — 0-RTT, data flies with the very first packet.

2. Legacy and weak ciphers removed

TLS 1.3 keeps only 5 AEAD ciphers: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_128_CCM_8_SHA256. Removed:

• RSA key exchange (vulnerable to ROBOT).
• 3DES, RC4, AES-CBC, DES, MD5.
• Static DH — only ECDHE remains (forward secrecy always).

3. Forward secrecy by default

TLS 1.2 forward secrecy depended on cipher choice — you could accidentally use RSA key exchange. In TLS 1.3 this is impossible: all keys are ephemeral and destroyed after the session. Private key compromise doesn't decrypt past traffic.

4. Encrypted handshake metadata

In TLS 1.2 the server certificate is sent in clear — any observer sees where you connect. In TLS 1.3 everything after ServerHello is encrypted, including the certificate.

5. Simpler configuration

No more “did I pick the right 20 cipher suites” — the default in 1.3 is safe.

Speed: the real-world gain

On a new connection TLS 1.3 saves roughly one RTT — 50-150 ms depending on network latency. On mobile LTE it's visible: 200 ms instead of 400 ms to first byte. For short HTTPS API документацию calls (payments, analytics) that's 20-30% latency.

0-RTT (early data) is faster still, with caveats: replay is possible, so not for non-idempotent requests. nginx supports since 1.15.4:

ssl_early_data on;

Migrating nginx from TLS 1.2 to TLS 1.3

With nginx 1.13+ (OpenSSL 1.1.1+) enabling TLS 1.3 is trivial:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;   # in 1.3 the client picks the cipher
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';

# TLS 1.3 cipher suites (OpenSSL 1.1.1+)
ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;   # TLS 1.3 has its own resumption mechanism

Verify:

nginx -t && systemctl reload nginx
openssl s_client -connect example.com:443 -tls1_3 < /dev/null 2>&1 | grep "Protocol:"
# expected: Protocol: TLSv1.3

Full audit via enterno.io SSL Checker — it shows supported versions and config grade.

Apache and other servers

Apache 2.4.37+:

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder off

HAProxy 2.0+:

ssl-default-bind-options ssl-min-ver TLSv1.2
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

Node.js, Python, Go enable TLS 1.3 by default in recent versions — usually no config change needed.

Backward compatibility

TLS 1.3 is not supported by:

• Android < 10 (partial from 6, no ECH or 0-RTT).
• iOS < 12.2.
• Java < 11 (Java 8 gained it in 8u261+).
• Old IoT devices with OpenSSL 1.0.2.
• Firefox < 63, Chrome < 70, Safari < 12.

Solution — keep TLS 1.2 and 1.3 enabled together. TLS 1.2 will stay for at least 5-10 more years as a fallback. Dropping TLS 1.2 only makes sense for APIs where you control all clients.

What to disable right now

TLS 1.0 and 1.1 are deprecated; PCI DSS has required them disabled since 2018. Never use:

# DO NOT use
ssl_protocols TLSv1 TLSv1.1;
ssl_ciphers DES-CBC-SHA;       # DES
ssl_ciphers RC4-SHA;           # RC4
ssl_ciphers NULL-SHA;          # No encryption
ssl_ciphers EXPORT-RSA-RC4;    # Export-grade

More in weak cipher suites.

0-RTT: benefit and risk

0-RTT lets the client ship payload in the first packet without waiting for the handshake. Saves another RTT. But 0-RTT doesn't provide forward secrecy for early data, and attackers can replay. So:

• Allow 0-RTT only for side-effect-free GETs.
• Never for POST/PUT, payments, auth operations.
• In nginx use $ssl_early_data to mark requests and filter in the app.

Frequently asked questions

Can I disable TLS 1.2 entirely?

For a public site — no, you'd lose up to 5% of users on old devices. For internal APIs — yes if you control all clients.

TLS 1.3 and HTTP/3?

HTTP/3 (QUIC) has TLS 1.3 built into the protocol. Another RTT win and much better behavior on lossy networks.

Where do I check which TLS versions my server supports?

enterno.io SSL Checker, SSL Labs, or nmap --script ssl-enum-ciphers -p 443 example.com.

Does TLS 1.3 work with my old wildcard cert?

Yes. TLS 1.3 is a protocol; the cert is orthogonal. Any X.509 cert (wildcard or SAN) works. See wildcard vs SAN.

Conclusion

Migrating to TLS 1.3 is one of the cheapest wins: five lines in nginx.conf for a speed and security boost. Don't drop TLS 1.2 yet, but remove 1.0 and 1.1 today. enterno.io SSL Checker shows which versions your server currently offers and grades your config. Monitors detects if TLS 1.3 accidentally gets turned off after a deploy.

TLS 1.3 — RFC 8446. TLS 1.2 — RFC 5246. Mozilla TLS Config — ssl-config.mozilla.org.