TLS 1.2 vs TLS 1.3 — what your server should be using in 2026
// published 2026-04-17
TLS 1.3 was finalised in 2018 and is now supported by every modern client and server. Yet plenty of production servers still default to TLS 1.2-only, and a non-trivial number have TLS 1.0/1.1 still enabled. Here's how the two compare and what your config should actually look like in 2026.
What changed in 1.3
Faster handshake
TLS 1.2 needs two round-trips before the first byte of application data: client hello → server hello → key exchange → certificate verify → finished. TLS 1.3 collapses this to one round-trip. With 0-RTT mode (resuming a session), zero round-trips before sending data.
In real numbers: ~100ms faster connection on a typical mobile network. At scale, that's a meaningful page-load improvement.
Smaller cipher suite list
TLS 1.2 had hundreds of cipher suites, including many with known weaknesses (RC4, 3DES, CBC-mode with non-AEAD). 1.3 ships with five — all AEAD, all forward-secret. There's no "weak cipher" attack surface to misconfigure.
Forward secrecy is mandatory
1.3 requires Diffie-Hellman key exchange. No more RSA key exchange where capturing today's traffic + a future key compromise = decryption of historical sessions. Every session has its own ephemeral key.
Encrypted handshake
In 1.2, the certificate is sent in the clear. In 1.3, almost the entire handshake is encrypted after the initial key exchange. Less metadata leaked to passive observers.
What's still in 1.2's favor
Honestly, very little:
- Wider ancient client support. Embedded devices, payment terminals from 2010, IoT shipped before 2018 — some of those still need 1.2. If you have IoT users, keep 1.2 enabled.
- Slightly broader TLS-inspection-middlebox compatibility. Corporate firewalls that decrypt TLS for inspection often handle 1.2 better than 1.3. Not your problem unless you're selling B2B into financial-services or government.
What to disable
Hard "no" in 2026:
- SSLv2, SSLv3 — broken since 2014 (POODLE). PCI-DSS forbids them.
- TLS 1.0, TLS 1.1 — formally deprecated by the IETF in 2021 (RFC 8996). Browsers removed support in 2020. PCI-DSS requires disabling them.
Run the HTTP/2 + HTTP/3 Checker to see your TLS version. Should be TLSv1.3 on the negotiated handshake. If it's TLSv1.2 by default, your config is forcing the older version.
nginx config
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off; # in 1.3 this doesn't matter
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve X25519:secp384r1;Apache config
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLHonorCipherOrder off
SSLCipherSuite TLSv1.3 TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256HAProxy config
ssl-default-bind-options ssl-min-ver TLSv1.2
ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+CHACHA20Verifying
Three things to check:
- TLS 1.3 actually negotiates — use the HTTP/2 + HTTP/3 Checker or
openssl s_client -connect host:443 -tls1_3. - 1.0/1.1 are rejected —
openssl s_client -connect host:443 -tls1_1should fail. - Cipher suites are clean — no RC4, 3DES, CBC-mode (in TLS 1.2 lines).
Pair this with proper HSTS and you've eliminated almost all TLS-layer downgrade attacks against your site.