Currently the maximum supported seems to be TLS 1.2.
The relevant config for nginx:
ssl_protocols TLSv1.2 TLSv1.3;
Since the certs are provided by Let's Encrypt: if the certificates installation in nginx is managed by certbot, you can edit the file at /etc/letsencrypt/options-ssl-nginx.conf
(at least on debian-based distros).
You should petition nginx for improved defaults.
I won't fight tooth and nail about it but configuration files exist for a reason and offering a more recent version of a security protocol doesn't seem like a very difficult change, especially since it's just one config line.
You should petition nginx for improved defaults.
Well thanks for this very constructive discussion! :)
For the record I asked: http://mailman.nginx.org/pipermail/nginx-devel/2020-September/013467.html
There are still blockers for them to enable it by default:
Looks like this is the main blocker:
https://trac.nginx.org/nginx/ticket/195
It doesn't look to hard to write the necessary patch. Good luck!